Consultant: Act Now to Manage Risk
In an interview, Borten, president of The Marblehead (Mass.) Group, predicts that civil suits by state attorneys general, like one recently filed in Connecticut, will grab the attention of hospitals and physician groups of all sizes, hopefully triggering action on data security. The HITECH Act gave state attorneys general the power to file civil suits on healthcare data security violations.
Patients will be much more likely to file complaints with a state official than they would with a federal agency, she contends, predicting a ramping up of security cases.
Among Borten's tips for hospitals playing catch-up on data security are:
HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. We are talking today with Kate Borten, president of the The Marblehead Group, a healthcare data security consulting firm. Thanks for talking with us today Kate.
KATE BORTEN: My pleasure.
ANDERSON: A recent HIMSS survey showed most hospitals spend less than 3 percent of their total IT budget on data security. Do you think hospitals will be spending more on data security in the years ahead as they automate more clinical information? How big of a percentage of their IT budget should be devoted to security?
BORTEN: Well I do think that hospitals will be spending more on security as we move ahead, but I don't see it directly linked to the automation specifically. I think this is going to be a theme of our conversation today: It isn't about the technology. I know there is a big focus on that with the EHR (electronic health record) certification and so on, and certainly the technology plays a very critical role in enabling privacy and security. But when it comes down to it, the bigger concern that I have, and obviously the government has, is how organizations use the technology and how (good) their processes are, the administrative aspects as well as the technical.
So I think that there are a lot of drivers here, convergence of regulations at the state and federal level for privacy and security protections, and stronger enforcement, that will cause a ramping up. I think it will be inevitable. As to how big a percent, that is hard for me to say. I am disappointed to see it being 3 percent; whether it should be five or whatever is a tougher question.
ANDERSON: That same survey found that only about half of hospitals have a full-time chief information security officer. Should all hospitals or hospitals above a certain bed size have someone in that full-time position?
BORTEN: Frankly, in my experience with healthcare providers and hospitals across the country, I am even surprised that it is as much as half with a full-time chief information security officer. An awful lot of organizations that I work with do not even have one person full-time on security. Furthermore, having actually been in the position of managing information security in a cluster of hospitals, one FTE alone isn't enough. I think that healthcare organizations...are still behind when it comes to understanding the full scope and depth of an information security program and what it entails. There is an awful lot that has to be done to really be able to stand up and say we have a formal information security program and you are welcome to come in and look at it. So I think the staffing is a big issue.
ANDERSON: About 55 percent of those surveyed said that they conduct a risk analysis on an annual basis or more frequently. Should all hospitals be conducting such an analysis annually?
BORTEN: Well I don't want to sound like a broken record, but I find that a surprisingly positive response again...If every hospital participated in this survey across the country, I doubt that the answer would be 55 percent.
I know very, very few hospitals that actually do a risk assessment or a risk analysis more often than annually, and quite a few do not even do it annually. In fact, many, many organizations out there will say we did one when we knew the (HIPAA) security rule was coming along. So (perhaps) they did it in 2005, and have not done it since then.
So this again gets back to that point that there is a lot of focus on the technology right now because of the EHR...(Medicare and Medicaid) incentive payments. But the technology alone does not make a program. You have got to be doing these administrative things as well as including risk assessment, and I think all hospitals absolutely should be conducting one annually.
ANDERSON: In the same survey only half of the hospitals said their organization has a plan in place for responding to threats or incidents of a security breach. Should all hospitals that lack such a plan be working on one right now, especially given the new federal data security breach notification requirements?
BORTEN: Well could I say anything other than absolutely? The breach notification regulations went into effect in the fall. We knew they were coming...The government is just being a little bit gentle saying we are not going to go out of our way to enforce it until February. But the fact is that is now law...Almost a year ago, the HITECH Act itself had an extraordinary amount of detail in it in terms of the breach notification response; how much time you have, the content of the notice, whether it is delivered in first class mail or whether you have to reach out and contact media outlets and so on.
People have had almost a year to get ready for this. So that to me is very disconcerting, especially because organizations may not be doing a risk assessment, for example...Unless there is an audit, the government, the public, no one outside the walls of the facility is likely to know about that. But if there is a breach and you aren't notifying people properly, thoroughly, in a timely manner, etc., then that has a much more visible component, and I think it is much more likely to bring down some level of law enforcement.
And in fact there was just the notice...about the Connecticut attorney general charging Health Net of Connecticut not because of their breach but because of their inadequate breach notification, as I understand it. So I think that breach notification is very critical and it should be a subset of an incident response plan.
ANDERSON: What other steps should hospitals be taking now, if they haven't already, to comply with the new data breach notification rule?
BORTEN: Some organizations kind of throw up their hands and say, "Well we haven't suffered one so what do we do?" Well there are a lot of things that you can do to prepare for any kind of incident, and it is...similar to preparing for a computer system disaster. Sit around the table and imagine scenarios and how you would respond and what are the key decisions that you might be likely to have to make and what can you do to prepare to make it easier when you are on the spot making sure that the decision makers are identified. (You also need to make sure) that there is a chain of command already defined so that there isn't chaos, and make sure that you have at least a template for the notification letter that goes out, even if you can't fill in the details in advance. And in fact that letter actually has fairly standard requirements: What happened, what are we doing about it, what can you do, and so on.
ANDERSON: Under the breach notification rule, organizations that encrypt patient data don't have to report breaches because the data is assumed to be secure. Should all hospitals, as a result, encrypt all stored data as well as data that they transmit to others?
BORTEN: Well it has been common wisdom in the security world, as well as among Internet experts, that you can use the Internet and wireless and PDAs and so on safely if you encrypt and authenticate. So my recommendation for years has been encrypt all confidential information, not just PHI (protected health information), but also any confidential information that your organization handles. Encrypt it in transmission over the Internet and over wireless networks, because neither of those can you totally control. Also, encrypt data at rest on portable devices and portable media; anything that could easily walk out of the facility, from a laptop down to a smart phone, USB drives, and so on.
That doesn't mean that you shouldn't or don't have to encrypt data at rest in an internal database, but it is not standard practice. It certainly has costs associated with it in terms of real cost and performance. So the conventional wisdom for a number of years now has been encrypt over the Internet, over wireless and on all portable devices and portable media.
ANDERSON: On December 30, new proposed standards for certifying electronic health records were unveiled as part of the broader federal EHR incentive payment program. The certification criteria require EHRs offer some sort of access control mechanism but it doesn't specify a standard for that. What kinds of access control mechanisms do you think these vendors and their clients should be using?
BORTEN: Well I always recommend that privacy and security officers or leaders in the hospital arena read these regulations, and sometimes they are quite long, but it is very valuable to read the preamble. That is where the people who created the rule explain what they mean. So the rule by itself is often very difficult to interpret, but the preamble has the interpretation. So in the preamble they say that they have not been very specific or prescriptive about access control mechanisms because there are a variety of approaches and because this is an area where I think it is very dynamic. There are a lot of solutions now and potential solutions. It is a very shifting market right now, and so they have stayed away from saying "do it this way." I think that is exactly right. I think there were solutions that creative vendors or developers could have put in place in the past. The EHR incentives are certainly giving everybody the leverage and the incentive to do it now, but I think the rule writers were right not to specify anything there.
ANDERSON: The federal government on December 30 also issued another proposed rule on "meaningful use" criteria describing in great detail how hospitals and physicians can qualify for incentive payments for using electronic health records. The proposal states that to qualify for stage one, the first round of the incentive payments, organizations need to "conduct or review a security risk analysis of certified EHR technology." What is your interpretation of that?
BORTEN: Well again, I don't have to interpret it. The notice of proposed rule-making preamble explains very clearly why that is there...They explain that the technology alone is not enough.
You know, it is one thing to describe what the technology must be capable of doing, but it is different...for the hospital or the facility that purchases the equipment to implement it appropriately (and use) all the surrounding security controls.
So the original HIPAA security rule talks about administrative, physical and technical controls. And it is well understood that if you only focus on technical controls you will not have a secure environment; you cannot claim that you have an information security program. So if you look back at the security rule, risk assessment is only one requirement. You can infer from this but they are also saying, "go back and reread the HIPAA security rule and understand it, or read NIST documents and be sure you understand what is involved in an information security program." You cannot just set it up and walk away from it. There are all sorts of administrative processes. The risk analysis is just one.
ANDERSON: Under the HITECH Act, federal enforcement of the HIPAA security rule will be ramped up with tougher penalties for violations. Also, state attorneys general now can bring a civil action in federal court for violations of healthcare security and privacy rules. On January 13, the attorney general of Connecticut brought such a lawsuit against an insurance company, Health Net, for a case involving the loss of a computer disc drive. Do you think we will see more suits like this in the months to come?
BORTEN: Government moves slowly, but I think that the Recovery Act and the HITECH Act...were definitely a sea change in many ways for HIPAA privacy and security...in terms of the attitude and tone that the Congress set for enforcement and penalties.
Too many years have gone by where these rules have simply not been enforced. Even Health and Human Services' own office of the inspector general wrote a very harshly worded report criticizing the agency itself for lax enforcement. Congress was definitely...picked up on that and required by federal law in the HITECH Act that HHS conduct audits. HHS is required to audit not only covered entities but their business associates as well. And the penalties have been ramped up by Congress very, very significantly--the civil penalties for non-compliance.
Making state attorneys general also able to enforce these regulations is a powerful, powerful tool. I am actually glad to see Connecticut getting involved. Different states are going to jump on board in their own time...
I think many people have until now been reluctant to actually contact a federal agency about what they feel might be a privacy breach. When it is your own state attorney general--and you might even know someone who works in the state government or even in the attorney general's office or lives in your own community--it is much more local and much less intimidating and much more approachable. I think that we will see many more complaints. And in different degrees in different states we are going to see the states taking a role in enforcement. Until now, small offices--small doctors, small dentists and pharmacies and so on--felt pretty comfortable that they were just not going to get to be on the radar screen of the federal government. I think that is just not going to be the case going forward. I am not sure we are going to see it in a huge rush, but I think that this is the beginning of a quite different enforcement time in this country in terms of privacy and security for patients.
ANDERSON: So what are the implications of that? Do you think that could lead to more organizations making data security more of a priority?
BORTEN: Oh I sure hope that is the implication. I sure hope that is the outcome. I seriously do believe that many hospitals and other caregivers have not been willfully negligent, as the law says, but they have just not made this enough of a priority. They have not invested enough in privacy and security to understand what is really involved in an information security program. So I keep coming back to that same theme. It has been a number of years now. The original proposed security rule came out in 1998, and even then there was nothing earth-shattering in it. Here we are 12 years later, and we are still struggling. So I think that the enforcement and the penalties will give the industry a little kick in the butt, but I do sincerely hope and believe that organizations are going to say, "I guess I better look at this again and make a greater effort to really take this seriously and really integrate this into our culture, really staff this more appropriately." I do think that that will be the outcome.
ANDERSON: Thanks very much Kate. We have been talking with security consultant Kate Borten of the Marblehead Group. This is Howard Anderson of the Information Security Media Group.