The REAL Security Threat
The Gartner Group's John Pescatore said it well in a recent interview: "You know the real issue we see today [...is] most data disclosure incidents happen because of a mistake an employee made, not because of malicious insiders, not because of super-duper clever attackers, but really because of a mistake the user made."
Thank you John for making my point: It's about people, and whether or not they are attentive to their shared responsibility for maintaining an organization's IT security and protecting patient health information.
"Accountability begins with a workforce that knows their roles and responsibilities and it ends, well, it never ends."
Every day, it seems, there is yet another news story about on-line ID theft and hacker intrusions into businesses and government agencies. Cybercrime is real, growing and a significant concern. But in healthcare, the source of concern is much closer to home.
The list of breaches prepared by the Department of Health and Human Services helps illustrate that, at least in healthcare, inattentive care and handling of protected health information, or PHI, is a people issue.
Between September of 2009 and the middle of February 2010, more than 1 million health records have been lost or stolen, according to the mandatory reporting of PHI breaches on HHS's Office for Civil Rights web site. Remember, this site only publicizes breaches when the incidents involve more than 500 records. In other words, this is the tip of the PHI breach iceberg.
Of the 47 published incidents, the loss or theft of laptops and portable devices account for 20 (42%); the theft of desktops and servers, 13 (28%); and paper and film another 9 (19%). Of the remaining five (11%) incidents, three involve mailings/postcards and two for e-mail/phishing.
I acknowledge that the sampling is very small not withstanding a million lost records but there is a remarkable absence here cybercrime. Even if we allow the two e-mail/phishing incidents to be grouped into the cybercrime category, the majority of losses involve the theft or loss of mobile devices or paper.
Of the million-plus records, only 1,286 were lost electronically, that is, lost through e-mail or phishing attacks. Healthcare vulnerabilities seem to be related to security controls, or lack of them, and how workers care for PHI.
One sure solution is to encrypt everything, wherever possible. The HITECH Act explicitly exempts encrypted PHI from the breach reporting requirements. Encrypted laptops, desktops and mobile media would address the vast majority of lost records. Encryption is the cheapest, surest, best PHI protection.
The HITECH Act adds teeth to HIPAA by expanding the criteria for accountability, down to the individuals involved. It is accountability that drives compliance.
Accountability begins with a workforce that knows their roles and responsibilities and it ends, well, it never ends.
No matter how mature an organization's IT security program is, the workforce must remain attentive if privacy and security are to be maintained. Each workforce member needs to own their share of responsibility as a custodian of PHI. Each healthcare organization needs to hard-wire into their services, environment and workers a culture of accountability. Our patients expect nothing less.
Compliance comes not from avoiding the need for security controls and workforce training; it comes from fostering and developing a culture of accountability.
The HHS web site shows how even one incident of unsecured PHI involving more than 500 records can get you national recognition. A second incident will almost guarantee a visit from the HIPAA/HITECH enforcement team.
What does it take to raise organizational awareness to recognize that healthcare also includes the care of our patient's PHI? Hopefully, not the public recognition of inclusion on the HHS breach list.
Christopher Paidhrin is the IT security compliance officer at Southwest Washington Medical Center in Vancouver, Wash. He has worked for many years in IT and business operations, in higher education, the private sector and entrepreneurial environments, where he has held numerous director-level positions.