When it comes to HIPAA, one security expert says most healthcare organizations incorrectly assume they're doing enough to secure PHI.
At the heart of HIPAA is information protection and the attempt to curtail security breaches. However, the difference between what top-level stakeholders believe is taking place to meet HIPAA requirements and what actually happens on the ground are two very different things.
“There is a huge communication gap, and that’s why we are missing so much data in healthcare,” said Brand Barney, a security analyst at Orem, Utah-based SecurityMetrics, who spoke at the annual Healthcare Information and Management Systems Society (HIMSS) conference, held this year in Las Vegas on March 1, 2016.
The stakes for ensuring HIPAA compliance are high: Healthcare practices need to be mindful of the fact that both the "Privacy Rule" and "Security Rule" are federal laws. Moreover, it is worth noting that 54 percent of patients say they would switch providers after a data breach. While many healthcare organizations believe they are doing well in HIPAA security, Barney said that most have vulnerabilities in their security they don’t even realize.
In fact, criminal attacks in the healthcare industry have risen 125 percent since 2010, according to a survey from the Ponemon Institute. The 2015 KPMG Healthcare Cybersecurity Survey noted that 80 percent of healthcare IT leaders say their systems have been compromised.
Barney said many organizations have firewalls and believe that is sufficient for protection, but that is only one layer to security -and those firewalls need to be updated and reviewed frequently to function as designed. Additionally, many healthcare organizations (and people within those organizations) dismiss HIPAA, thinking it doesn’t apply to them because they aren’t directly involved with protected health information (PHI), but this is a mistake. “HIPAA applies to just about everyone and anyone who might potentially have access to PHI,” Barney said. This includes anyone who has access to shared folders or cloud space that may house patient data.
A number of organizations invest in sophisticated technology to meet HIPAA requirements, but Barney said technology isn’t even the most vulnerable area. “We spend a lot of money on really awesome products, but the weakest link is always people,” he said. Janitorial staff, for example, is given keys to everything, has minimal training in data protection, and is often hired by a third party, which is an open invitation for a data breach. “We look at the technical pieces, but I can’t tell you how many times people literally pick up data and walk out the door.”
To strengthen data security, Barney said some organizations may benefit from hiring an outside security consultant to help identify and prioritize gaps, and work data protection into their budgets. Then, they should begin tackling areas that are most critical. He did caution, “Every environment is different,” and there is no one-size-fits-all solution.
Barney also noted that employee training is essential. “Their parts might be totally different, but if they are involved in the PHI flow, they need training,” Barney said. This could be as simple as a monthly email with tips and reminders.
Additionally, organization executives should take the time to observe PHI flow and interview all staff about how and where data is received, stored and shared. There may be a gap in how they think the process works and how it actually functions. Technically, organizations can strengthen security by eliminating unencrypted PHI and requiring everyone to have their own sign-in information to view patient information. Physical security should also be addressed with a visitor/maintenance log, controls to limit physical access to sensitive areas, and distinguishing visitors from on-site personnel.
“Executives think one thing is going on, IT is doing something different and the frontline is doing something else,” Barney said.