The latest report from the Ponemon Institute contains a warning for HIPAA-covered entities; those who do not prepare for cybersecurity attacks are likely to regret the decision. Nine out of ten hospitals have suffered either an intrusion or a data breach in the past 24 months and worse still, the number of data breaches is likely to increase over the coming year.
The move from paper based record systems to EHRs has improved efficiency and productivity; however, with that move comes an elevated risk of data being compromised. Medical records can be copied by anyone given access to an EHR, data can be intercepted during transit and laptops and portable devices are frequently lost or stolen, exposing stored data.
Add to that a constantly evolving threat landscape, hackers targeting healthcare providers for the data they hold, and ever more sophisticated malware being released, and the chance of a data breach being suffered increases to nearly 100%.
Hospitals Must Prepare for Cybersecurity Attacks
Research shows that when it comes to emergency responses, the healthcare industry excels. New healthcare threats, diseases and natural disasters are well prepared for. If systems go down, data access can be maintained and data restored from backups.
The industry is well prepared to deal with virtually any medical or health emergency that is likely to occur; but the industry is not particularly well prepared to deal with hackers and malicious insiders.
The Federal Emergency Management Agency’s 2012 National Preparedness Report suggests healthcare providers are simply not ready to deal with a cybersecurity attack, even though many have already been hit with a data breach in the past.
Key Findings of the FEMA Data Breach Preparedness Study
- Cybersecurity was the “single core capability where states had made the least amount of overall progress.”
- Just 42 percent of state officials said they were adequately prepared for a data breach
- Almost 2/3 of U.S companies reported suffering cyberattacks during the last six years and
- Between 2006 and 2010 the number of reported U.S cyberattacks increased by 650%
HIPAA Non-Compliance Carries Stiff Penalties
The Health Insurance Portability and Accountability Act (HIPAA) places a number of requirements on healthcare providers, health plans, healthcare clearinghouses, and Business Associates of HIPAA-covered entities to keep patient health data secure.
The Department of Health and Human Services’ Office for Civil Rights (OCR) is the enforcer of HIPAA Rules. When a data breach is suffered by a HIPAA covered entity, it must be reported to the OCR. The agency’s staff investigate all data breaches to determine if they could have been prevented, and whether HIPAA Rules have been violated.
Should this be the case, the penalty for non-compliance can be severe. A fine of up to $1.5 million can be issued and that figure is then multiplied by the number of years that the violation (or security risk) was allowed to persist. Those figures apply to each category of HIPAA violation discovered.
However, fines are only part of the data breach cost. Damage mitigation, breach notifications, and civil claims for damages can see the cost of a data breach run into the tens of millions.
How to Prepare for Cybersecurity Attacks
Networks can be protected against cyberattacks, as can the devices used to connect to those networks; however the perimeter will be breached eventually, so it is essential that other controls are put in place to keep PHI secure. Data encryption being one of the wisest choices.
HIPAA rules do cover data encryption but fall short of making it a requirement. HIPAA-covered entities must address the issue of data encryption, but implementation is left to the discretion of the covered entity.
Data encryption may not be necessary if an organization has a closed network, or if other protections are in place which offer a similar level of protection. It is not a HIPAA violation to elect not to use data encryption tools to protect PHI, but failing to document the reason for not using the safeguard would be.
Should OCR auditors decide to investigate a covered entity, they will need to see documented proof that the issue of data encryption has been discussed, as well as the reasons for not encrypting. All of this information must be documented.
Very few healthcare providers now operate closed networks, so while encryption is not mandatory, it would be difficult to justify to auditors why the measure was not needed especially after a breach has been suffered.
To reduce the cost, many hospitals and healthcare providers choose partial data encryption; using tools for all portable devices used to store PHI, and also for any data in motion.
Data Encryption Standards
Data encryption should not be viewed as a foolproof way of avoiding data breaches, just as a safeguard to reduce the risk of data exposure. Data can still be compromised if security keys are disclosed, and not all encryption tools offer the same level of protection – it depends on the strength of the encryption and decryption algorithms.
The Department of Health and Human Services recommends using data encryption tools which meet the Federal Information Process Standard (FIPS) 140-2 encryption standard. Many older systems are still being used, but these will not necessarily offer a sufficient level of protection. In a few years’ time, it is likely they will need to be replaced. FIPS 140-2 encryption on the other hand is likely to be sufficient to ensure compliance for many years to come; certainly for the next decade or so.
Preparing for the Worst
Numerous protections can be put in place to keep data secure, although breaches are still likely to be suffered, even if full FIPS 140-2 encryption is used. Employees must be given access to patient data, which means they must be given security keys to decrypt it. This gives malicious insiders an opportunity to access, view and copy PHI. Security keys may also be exposed in a data breach, rendering the protection useless.
It is therefore essential that a tried and tested data breach response plan can be put into place quickly. This will limit the damage caused to the covered entity and patients.