Breach Prevention: Pay Now, or Pay LaterFinding Funds for Security Difficult, But Necessary
Even the smallest, cash-strapped healthcare organizations need to make information security a priority. That's because breaches can happen anywhere, and when they do, they can really sting.
Consider the experiences of Troy Regional Medical Center, a 97-bed facility in South Troy, Alabama.
Many hospitals around the country are facing serious financial difficulties and, as one result, have underfunded their security programs.
The medical center is facing a dilemma familiar to many smaller hospitals and clinics across the country. It's scrambling to meet the compliance deadline for HIPAA Omnibus Rule that's just three months away. Yet the Alabama hospital has already found it difficult to fund a HIPAA privacy and security strategy - even before omnibus came along.
And to make matters worse, the hospital experienced a data breach.
In March 2011, Troy Regional reported to the Department of Health and Human Services an incident involving unauthorized access to information on about 881 patients. And now it faces an investigation by HHS' Office for Civil Rights, and, potentially, a financial penalty.
The breach involved a contract worker at Troy Regional who stole patients' personal information, including Social Security numbers. That worker, who was part of an ID theft and fraud ring, was convicted and sentenced earlier this year to 65 months in federal prison for stealing patient information. Another member of the ring, who pleaded guilty, was sentenced in May to 10 years in federal prison for her part in the scam, according to the U.S. Department of Justice .
"We didn't have the money to invest in security," Teresa Grimes, CEO and administrator of Troy Regional, acknowledges in an interview with HealthcareInfoSecurity. The medical center has had substantial operating losses, ranging from $3.8 million to $600,000, over the last several years. But in the wake of the breach, it will need to scrape up funding to improve its HIPAA compliance -and overall information security.
"This has opened our eyes about the holes in our security," says Janet Smith, Troy Regional's CFO.
Like Troy Regional, many smaller healthcare organizations are having a tough time scrounging up money for HIPAA compliance and other data security efforts.
"I am sympathetic. I know of many hospitals around the country facing serious financial difficulties and, as one result, have underfunded their security programs," says Kate Borten, who heads IT security consulting firm The Marblehead Group.
"On the other hand, we are more than 15 years after the passage of HIPAA, so all hospitals should understand by now what's required of a good security program and have planned for it," Borten says. "Yet many, and perhaps most, hospitals underfund and understaff their security program, regardless of their financial state. I find this very discouraging and a sign that senior leadership has not yet grasped the importance and value of information security, muchless the multiple facets and complexity of a robust program."
Security specialist Rebecca Herold, partner at Compliance Helper and CEO at The Privacy Professor, a consulting firm, offers a similar assessment. "Hospital boards and directors need to have a change in mindset; too many view information security and privacy safeguards as something unnecessary to their business - and so an unnecessary expense," she says.
"This is the same mindset many had decades ago about investing in fire alarms, sprinklers and safety exits. Those types of safety investments are now understood to be a necessary cost of doing business, as well as necessary for the safety of others."
Our recent Healthcare Information Security Today survey found that only about a third of organizations expected their data security budgets to grow this year, and most allocate money for security on an as-needed basis (see: Tips for Getting Security Budget Buy-In).
"Sometimes security resources are not focused on the highest risk areas," Borten says. Plus, hospitals and others miss opportunities to use inexpensive controls "and don't get the most bang for their buck" she adds.
So what else can cash-strapped healthcare providers do to stretch their security buck? Experts suggest:
- Use free government resources, including privacy and security guidance on the HHS website. Also, many states offer free resources to healthcare providers.
- Perform a risk assessment. Smaller organizations can get help conducting a cost-efficient risk assessments from boutique consulting firms.
- Address high-risk findings. Key steps often include establishing security procedures for mobile devices and making more extensive use of encryption.
- Provide training, as well as ongoing awareness communication.
- Identify all business associates and then make sure they have appropriate security controls in place.
Troy Regional's Plans
As for Troy Regional, its compliance and legal teams have reviewed the organization's policies and procedures in the aftermath of the breach, and the hospital is putting together an "internal corrective action plan," says Grimes, the CEO.
That includes providing staff members and physicians "with lots more education" around privacy as well as "how to be on the look-out for unusual behavior" from colleagues. "We've set up an anonymous hotline for employees to call" if they witness suspicious activities among coworkers, Grimes says.
The hospital is also working on security with its business associates, including its billing and electronic health record software vendors, to bolster the auditing and tracking capabilities of the systems so that unusual activity and inappropriate access can be more easily spotted.
Still, Troy Regional hasn't figured out exactly how it will come up with the money it needs to improve security, comply with HIPAA Omnibus - and pay possible federal penalties, Smith says.
Like this Alabama medical center, many other smaller hospitals and clinics across the country need to devise creative ways to make the most of their limited resources for protecting patient information. That's because, in the long run, leaving risks unmitigated will prove to be even more expensive because of such costs as legal fees, federal penalties - and damaged reputations.
Is security and privacy funding tight at your organization? How do you stretch a dollar? Let us know.