Pros and Cons of Potential 'Wall of Shame' ChangesHHS Reportedly Considering Revamping Breach Reporting Website
Is it time for the Department of Health and Human Services to change the so-called "wall of shame" website used to report large health data breaches as mandated under the HITECH Act? And if so, what should be changed?
During an exchange at a June 8 House subcommittee hearing examining cybersecurity challenges in healthcare, Leo Scanlon, HHS deputy chief information security officer told Rep. Michael Burgess, R-Texas, that HHS Secretary Tom Price is re-evaluating the HHS breach reporting website. The congressman had criticized the breach tally during an April subcommittee hearing, arguing the website was unnecessarily punitive.
"We heard you loud and clear at that hearing and we took that matter back to the secretary," Scanlon said, adding that any changes to the breach website could be addressed by HHS. "[Price] has taken it very seriously and is working on an effort to address the concerns you raised," Scanlon told Burgess, who responded: "We are victimizing the victims."
But many privacy and security experts are not convinced that the website should be dramatically altered. Some suggest tweaks, such as limiting the length of time breaches are listed. Others like the site as it is, saying it provides valuable insights into security mistakes other healthcare entities should avoid.
HITECH Act Mandates
While HHS has periodically refreshed the website with minor tweaks, the site for nearly six years has listed all large breaches reported by covered entities, including whether the incidents involved a business associate, the nature of the incident - such as theft of hacking - and the "location" of impacted protected health information - such as in electronic medical records or on a mobile device.
The website also includes brief summaries of the breach cases that OCR has investigated and closed.
Congressional action would be required to do away with the website all together. However, concern from the healthcare sector, as well as some members of Congress, about the website and the supposed stigma it creates for covered entities that report breaches - including incidents involving ransomware that might often get resolved without paying a ransom to extortionists - is prompting HHS to rethink what's getting posted on the site, and for how long, according to FierceHealthcare.
OCR did not immediately respond to Information Security Media Group's request for comment on possible changes under consideration for the breach portal.
Wall of Shame Pros and Cons
As of June 15, the website listed 1,954 major breaches affecting a total of 173.6 million individuals.
For journalists as well as security researchers, legal experts and other healthcare industry watchers, the website has been a source for tracking breach trends and identifying newsworthy incidents that merit closer inspection.
But the website for some entities reporting breaches has been a lingering source of embarrassment.
"I am not a big fan of it, but it's been there for a while as a result of the law," says privacy attorney Kirk Nahra of the law firm Wiley Rein.
"While there certainly are situations where then posting isn't 'fair' - either because there wasn't a fault situation or the breach actually involved a BA or someone else - there's also not a lot of information that really could prove particularly damaging," he notes.
Among changes that HHS could potentially make that wouldn't necessarily require action by Congress is putting limits on how long reported breaches are listed. Currently, breaches remain on the tally permanently once HHS confirms details of reports from covered entities, even if cases have been investigated and closed by OCR.
Section 13402(e)(4) of the HITECH Act mandates that HHS make available to the public on its internet website a list that identifies each covered entity that reported a breach of unsecured PHI, notes privacy attorney David Holtzman, a former OCR senior adviser who's vice president of compliance at security consulting firm CynergisTek.
Holtzman argues it's reasonable to remove breaches from the list after six years. "This aligns with the document retention period set in the HIPAA rules for a covered entity or business associate to maintain records of its compliance with the health information privacy and security standards. "
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine - also a former OCR senior adviser - says he too is in favor of time limits for breaches listed on the website.
"I would like to see HHS limit the amount of time that entities are listed by name on the website," he says. "I agree that remaining up on the website indefinitely further discourages reporting breaches, and creates ongoing reputational harm to organizations that may have invested heavily in improving privacy and security following a reported breach."
But implementing time limits doesn't necessarily mean watering down the information that's posted, Greene says.
"I would like HHS to maintain the information of older breaches in a somewhat anonymized format, including the summary of what happened and what actions were taken. This database is an important educational tool, both with respect to seeing trends in reported breaches over time, and in identifying whether other organizations consider a particular type of incident reportable," he says.
For example, he notes, "if a covered entity or business associate is on the fence as to whether an incident constitutes a 'breach,' it can be helpful to review whether there are similar reports on the HHS website, indicating that at least some other institutions have treated the type of incident as a reportable breach."
Green says the current website "provides the right level of detail, especially for those breaches in which a web summary is available providing a narrative description of what happened and what response was taken."
Similarly, Nahra says while he would not be in favor of posting even more information on the wall of shame, "the current site is somewhat helpful to the public and not particularly damaging to the posting entities, even in the unfair situations."
Good, Bad and Ugly
While the website might be a source of "shame" for some of the entities listed, the publicly available information about incidents has an overall potential positive impact on security and privacy practices by the healthcare sector, some experts say.
"The 'wall of shame' has had some success in incentivizing larger healthcare entities to improve information security practices, such as encrypting mobile devices, in order to avoid reputational harm," Greene says.
"The challenge is that we have transitioned to less breaches caused strictly through carelessness, and more breaches caused by sophisticated [cyber] attacks. It may be helpful to keep the wall of shame with respect to certain breaches, but provide more discretion to OCR to allow covered entities and business associates to appeal that a breach occurred despite reasonable safeguards and, therefore, should not be publicly listed," Greene suggests.
"The HITECH Act already provided OCR with authority to distinguish between incidents that are due to 'reasonable cause' versus 'willful neglect.' It may be helpful to bring this distinction to whether incidents get publicly posted."
Even if Congress decides to act, careful consideration of the website's pros and cons must be taken, Holtzman urges.
"Those who are egging Congress on to make changes to the HITECH Act mandate for public reporting of breaches should be careful what you ask for. As we saw in the passage of the 21st Century Cures Act, efforts to bring Congressional action on one issue often results in other legislative actions that were not envisioned," he says.
"For example, an effort to change the public listing of breaches could open up other areas of the privacy and security standards that might result in more stringent requirements on healthcare organizations, like mandatory cybersecurity risk analysis and mitigation or imposing FISMA-like information security requirements on the health care industry."