The following is an excerpt from an article published in the FierceHealthIT's eBook "Privacy & Security Audits: How to Prepare and Ensure Compliance." Download the eBook here to read more.
By Annette M. Boyle and Brenda L. Mooney
New risks have upped the ante for HIPAA security and privacy officers and increased fines have many on edge. Particularly in the aftermath of the Community Health Systems (CHS) breach, which put 4.5 million patient records at risk across 29 states and 206 hospitals, last year's risk assessments look woefully inadequate for many healthcare systems and practices. What's worrying privacy and security officers this year?
Several issues stand out, including:
1. International Crime Rings: In late August, the Federal Bureau of Investigation alerted healthcare providers that criminal hackers throughout the world were targeting the U.S. healthcare system, according to Steve Gravely, healthcare practice leader at international law firm Troutman Sanders, based in Richmond, Virginia.
"The threat environment has materially changed in the last six months. No one's system is hack-proof and a lot of hospitals haven't done tabletop exercises to practice their response and crisis communication in case of a large scale data breach, mainly because the risk was so low before."
Nancy Davis, system director of privacy for Ministry Health Care in Milwaukee, agrees that most healthcare systems would be caught flat-footed if hacked by a sophisticated criminal ring. "All the things that a privacy officer would do would not typically include the technical security safeguards like contracting for firewalls. No sooner do you develop safeguards, then there are organizations with unlimited resources that can develop ways to crack them."
The costs of major breaches are daunting, too. "In the absolute best case, it costs at least $1 per person to remediate, though some estimates for remediation of the CHS breach exceed $75 million. Credit card monitoring wouldn't be enough. This kind of breach has repercussions far beyond what the average patient can manage," Davis says.
Credit card monitoring has little value when criminal elements have all of the information needed for identity theft—name, address, birthdate, telephone and Social Security numbers. Breached organizations would be on the hook for a sizable fine from the Department of Health and Human Services' Office of Civil Rights, lawsuits and settlements, improved security costs and identity theft protection for affected patients.
2. Meaningful Use Regulations: Organizations that have taken federal Meaningful Use payments also take on greater risk. The Centers for Medicare & Medicaid Services (CMS) "is not kidding around when auditing for Meaningful Use," says Judi Hofman, privacy and security officer at St. Charles Health System, a four-hospital network in central Oregon.
"They will ask for the most current documentation for attestation, and if you're not documenting progress, you'll be at risk of having to return the Meaningful Use dollars, which could be $1 million, $5 million or more," she says. "People forget that funding for Meaningful Use is tied to their HIPAA risk assessment."
3. The Cloud: Increasing use of cloud storage creates new risks, too, notes Gravely. "Hackers have successfully penetrated systems in some cases with inside help. Not necessarily people on the hospital staff but perhaps a cloud provider or data host employee. Those people don't have loyalty to your hospital, so it's a totally different dynamic."
Even the best firewall and encryption will not protect a healthcare organization from attack by an insider or third party with authorized access or the ability to circumvent security measures.
To read the rest of this and other articles, download FierceHealthIT's free eBook,"Privacy & Security Audits: How to Prepare and Ensure Compliance."