Healthcare IT Security Is Difficult, But Not Impossible
Data breaches threaten healthcare organizations from all angles -- from hackers, thieves and forgetful employees -- and touch all facets of IT infrastructure. Updated HIPAA rules make organizations responsible for the actions of their business associates, too. Healthcare IT security is a daunting task, but with a little planning, it's not an impossible one.
Thu, September 19, 2013
On one the hand, the rule — published in January 2013 and effective March 26 — effectively brings HIPAA (enacted in 1996) into the 21st century and finalizes the new security and privacy safeguards required by the HITECH Act of 2009.
On the other hand, hardly a day goes by without a report of a (largely preventable) patient data breach from a hospital, contractor or other organization handling sensitive personal health information.
Why does healthcare struggle so much with data security? And what will it take for the industry to turn the corner?
Small Practices Especially Susceptible to Breaches
Since the fall of 2009, the U.S. Department of Health & Human Services (HHS) has, per the HITECH Act, published a list of data breaches affecting 500 or more patients. As of mid-September 2013, about 660 breaches had been reported.
A healthcare data breach analysis published by the Health Information Trust Alliance (HITRUST) at the end of last year notes that data theft outnumbers all other causes of data breaches combined — loss, unauthorized data access or disclosure, incorrect mailing, improper record disposal and hacking. Since 2009, hospitals and health insurers have reported fewer breaches, which suggests that they are getting better at preventing data loss, but academic institutions and especially physician practices struggle to address the issue, HITRUST says.
Analysis: 11 Ways to Make Healthcare IT Easier
Small, independent practices typically lack the expertise and resources to handle their own security. What further complicates the matter, HITRUST points out, is the additional need to ensure that HIPAA business associates — those consultants, contractors, cloud service providers and other entities that handle a practice's patient data — also comply with privacy and security rules.
"Where we believe many organizations falter is not identifying and restricting access to what is actually required at a data, application and network level," HITRUST says. "This leads to information leakage and, ultimately, high-profile breaches when they do occur."
Take HIPAA Security Risk Analysis Seriously
It's for this reason that the federal meaningful use incentive program and the HIPAA Security Rule require healthcare organizations to conduct a risk analysis that examines the "confidentiality, integrity, and availability of electronic protected health information" (ePHI) that the organization holds. (Having such an agreement in place also tends to lessen the severity of the penalties levied by the HHS Office for Civil Rights if a breach does occur.