HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Brookings Offers Breach Prevention Advice to OCR and Healthcare Organizations

A recent report issued by the Brookings Institution delves into the problems faced by the healthcare industry now that so much patient data is being collected, stored, and transmitted by healthcare institutions.

In its report, Brookings offers advice to healthcare organizations and the Department of Health and Human Services’ Office for Civil Rights (OCR) about how patient privacy can be better protected, and strategies that can be adopted to prevent data breaches.

23% of All Data Breaches Affect the Healthcare Industry

Over the past two years, the number of breaches suffered by healthcare organizations has increased significantly. 23% of all data breaches now affect the healthcare industry. Since OCR started publishing details of data breaches reported by healthcare organizations six years ago, almost 1,500 separate data breaches have occurred. Those breaches have exposed the healthcare data of over 155 million Americans.

BrookingsTo investigate the problem, the Brookings Institution conducted a study to find out more about why healthcare data breaches are occurring with such regularity, whether any lessons have been learned from those breaches, and what can be done to better protect patient privacy and prevent healthcare data breaches from occurring.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

For the study, Brookings conducted interviews with personnel from a range of healthcare organizations including healthcare providers, health plans, and business associates of HIPAA-covered entities. Each organization that took part in the study had experienced at least one breach of healthcare data in the past.

Healthcare Industry “Uniquely Vulnerable” to Cyberattacks

The interviews highlighted a number of common themes and revealed that the healthcare industry is “uniquely vulnerable” to cyberattacks and privacy breaches.

The healthcare industry stores large volumes of highly valuable data which has attracted the interest of hackers. Health records can be used for a multitude of fraud, and can be easily sold at a premium price on the black market. Healthcare data is now far more valuable than data stored by organizations in other industries.
Healthcare organizations record data which can be accessed by a wide range of personnel and data are subsequently shared with many business associates. The more individuals that have access to data, the greater the risk of patient privacy being violated.

Healthcare organizations often outsource a wide range of healthcare operations and data is stored locally, with EHR vendors, cloud service providers, provided to insurance companies, transcription service providers, billing companies, collection agencies, and other healthcare providers. With so much data being stored and shared, and the complexity of the systems used to record and share data, the potential for privacy violations is considerable.

Healthcare organizations have been incentivized to make the transition from paper-based record to electronic formats, yet many are ill-prepared to protect electronic records. Data must also be kept for many years, meaning huge volumes of data are now stored. Together with poor investment in cybersecurity defenses, it is no surprise that the healthcare industry is such a big target for attackers and that so many data breaches are occurring.
Challenges Faced by the Healthcare Industry

Brookings identified a number of challenges faced by the healthcare industry which are outside of the control of healthcare organizations. These issues are hampering the efforts of healthcare organizations to safeguard data and protect the privacy of patients.

The Health Insurance Portability and Accountability Act was first written in 1996, and technology has advanced considerably in the past 20 years. Updates to regulations have been made, yet HIPAA is vague when it comes to how data should be protected. Technology is advancing far faster than legislation can be introduced, but Brookings suggests that the lack of specifics means the legislation “falls short of addressing modern cybersecurity challenges.”

The use of medical devices has increased significantly, yet instead of manufacturers incorporating the necessary security controls to ensure their devices comply with HIPAA Rules and keep data secure, the responsibility is being passed on to healthcare organizations.

Brookings also points out that OCR appears to be primarily concerned with punishing healthcare organizations that experience data breaches or otherwise violate the privacy of patients. This punitive approach discourages healthcare organizations from sharing details of data breaches with peers, when doing so would help other organizations to implement better controls to protect patient data.

What Can be Done to Prevent Data More Data Breaches?

The Brookings report criticizes OCR for holding back valuable data which could be beneficial for other healthcare organizations and could assist them with their privacy protections. When OCR conducts an audit, detailed findings are not published. If further information was provided on how the data breaches occurred, this would allow healthcare organizations to use the information to ensure their own systems were better protected from attack.

Brookings suggests that OCR should “prevent more than it punishes,” and should be more transparent about the findings of HIPAA audits. It was also suggested that more random audits on HIPAA-covered entities are conducted. These would arguably be more beneficial than reactive audits that take place after a breach has occurred. Proactive audits could be used as a way of preventing data breaches from occurring.

Brookings suggests that establishing a universal HIPAA certification system would help in this regard. Certified agencies could then conduct preventative audits and ensure HIPAA-standards are being met.

Healthcare organizations can also take action to better protect patient privacy. Brookings suggests greater investment is needed in security technologies, there should be greater sharing of data breach details with other healthcare organizations, and cybersecurity insurance should be embraced.

The Brookings Report – Hackers, phishers, and disappearing thumb drives: Lessons learned from major health care data breaches can be viewed on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.