How to Prevent a Data BreachAttorney Offers Insight for Avoiding Costly Incidents
One of the most important healthcare information breach prevention steps is to safeguard mobile devices and limit the data stored on them, says attorney David Szabo.
"There's a huge risk area around laptops and other portable devices that carry a lot of data," says Szabo, a partner with the U.S. law firm Edwards Wildman Palmer LLP. "Organizations, even when it's not legally required, need to be looking at ... encryption of all laptops that leave a facility with protected health information or personal information."
Szabo also says organizations should "reassess their policies about how much information employees really need to take off the premises ... because that's another factor of risk. ... The whole issue of portable devices is one that organizations really need to look at hard."
In an interview with Information Security Media Group's Tom Field (transcript below), Szabo says other breach prevention steps healthcare organizations need to consider include protecting paper records and training employees on privacy and security policies.
Szabo also discusses:
- What healthcare organizations can do to prepare for the final version of the HIPAA breach notification rule;
- Privacy and security measures for health information exchange as well as remotely hosted electronic health records; and
- The most important steps healthcare organizations can take to prepare for HIPAA compliance audits.
Szabo is a partner in the business law department of Edwards Wildman Palmer LLP, where he is a member of the healthcare and privacy practice groups. He has extensive experience in healthcare licensing and regulation; reimbursement; fraud and abuse, compliance; and the structuring of joint ventures.
TOM FIELD: To get us started, why don't you tell us a little bit about your firm, yourself and your role with the firm?
DAVID SZABO: Edwards Wildman is an international law firm including offices in London and Hong Kong, but we have large practices in both data breach response, privacy protection and healthcare. My own practice focuses on the healthcare industry, but a large part of it has to do with HIPAA, privacy, information security and implementation of projects that fall under HIPAA regulations.
Breach Notification Rule
FIELD: A final revision of the HIPAA breach notification rule is expected some time soon. Is there anything that healthcare organizations could be doing right now to prepare for the final rule?
SZABO: We've been living under the interim final rule for breach notification for some time. While there has certainly been a lot of speculation and rumors about what might get changed when the government gets around to issuing the final version of the rule, we have to remember we're operating under an effective rule today and most healthcare providers also have to comply with various state laws about data breach notification. They have to be geared up right now.
A big part of it, in terms of preparation, especially in prevention, really has to do with the fundamentals of information security. Healthcare providers, health plans and clearinghouses have been living with the HIPAA information security rule for some time. Really, security is what it's all about in terms of detecting and preventing breaches, so they really need to go back to the basics of the security rule and make sure that they're prepared to implement those things.
I think the second piece that goes beyond security is having a plan for breach notification, mitigation and response so that you're not starting at ground zero when you hear a laptop has been stolen or there's been a failure in terms of a website or even a subject of an attack, and then figuring out who you're going to call and what you're going to do. The first phase is sound information security. The second phase is a contingency plan when, unfortunately, things do go wrong either because of technical error, human error or you're the victim of an attack.
Steps to Prevent Breaches
FIELD: In the meantime, what do you see as maybe the three most important steps that organizations can take to prevent breaches?
SZABO: I think, especially in terms of prevention, one of the things that organizations should be looking at is what's happening to other people. That information is available in terms of reports from the federal government and from state agencies that are administering state data breach laws. The first thing I would mention to people is there's a huge risk area around laptops and other portable devices that carry a lot of data. Organizations, even when it's not legally required, really need to be looking at, say, encryption of all laptops that can leave the facility with protected health information or personal information. They should also reassess their policies about how much information employees really need to take off the premises outside of the kind of physical envelope of a secure facility, because that's another factor of risk. ... The whole issue of portable devices is one that organizations really need to look at hard.
Secondly, there are still enormous risks in the healthcare world with paper records. A major medical center had to pay a substantial settlement to the government because an employee left paper records on a subway train that had sensitive information about patients, and that information was lost. We shouldn't get too wrapped up in just thinking about computers and technical things - paper records can also be at risk simply because of the good-faith errors and omissions of employees.
I think another major area, in terms of both prevention and detection - and it's difficult - is to have regular, relevant training that takes into account the human factors where things can go wrong. People have to be trained to understand the policies of the organization, and they have to be trained about common-sense safeguards that they can follow to avoid breaches or the misuse of information. There's the old rule about real estate that if you want to understand real estate, you have to understand three rules: location, location, location. I would say to implement security you have to do three things: training, training and training. ...
Cloud Computing and EHRs
FIELD: I understand you've worked with several hospitals that are hosting electronic health records for area physicians. What do you find to be the key HIPAA compliance and breach prevention issues that are raised when hosting EHRs for physicians using the cloud computing model, and how are these hospitals you've worked with addressing these issues?
SZABO: That's a great question and a lot of it can vary on exactly how the system is set up, what the architecture is, what the various responsibilities of people are. But I would say in general, what you find in a lot of these situations is there may be, for example, a data center either at a hospital or off site that's probably a highly secure facility. It's relatively easy for a hospital, if it's well-funded and it has a strong IT department, to set up a secure data center that is going to have a very great capability to protect that information. For the information to be useful, obviously it has to be pushed out to the sites of care, and the sites of care have to be able to put information back into the secured data center. Then you have basically all these remote locations of use.
Maybe each medical practice has several offices, and they have to have to access to the data to make it useful. Typically, you have more of the vulnerability out at the remote sites where you may have a variety of full-time and part-time employees accessing data in different ways, looking for the most efficient ways to move information from place to place. You also have people that may have access, because of the power of these systems, to a lot of information, but without a full appreciation of the risks that this information can create.
I will give you a couple of examples. One of my clients had to deal with a very serious problem because an employee, in good faith, just trying to do their job, was moving a lot of information manually from office to office. Their car was broken into, the computer bag was stolen and a lot of information that wasn't properly protected was lost. Another example came because an employee of a practice decided it would be useful for administrative purposes to look at the medical records of an employee, and they were able to do that because of an information system that was set up and hosted by a hospital; and they looked at an employee's medical record for an appointment-related purpose. That's a clear HIPAA violation that was enabled by technology. And in both of those cases there were breaches and there was breach notification that had to be carried out. In both cases, there were serious consequences for healthcare providers. Employees were disciplined in one case and an employee was discharged, and [there was] a lot of needless cost, expense and heartache for a lot of people in part because people didn't appreciate either the risks or the power of the technology that they were using, and the organizations weren't really fully prepared to prevent those events from occurring.
Health Information Exchange
FIELD: You've been involved in the formation of a statewide health information exchange in Massachusetts. What do you see as the major privacy and security challenges that HIEs face, and what do you see as the key to winning patients' confidence for health information exchange?
SZABO: Those are great questions. I think one of the big challenges .. is that there are a variety ... of state laws that have been passed to protect the privacy of information, but those laws were really written in an era before the advent of electronic records, before the power and value of data exchange was fully realized. In other words, laws, for example, governing the disclosure of a HIV test results may have been written quite appropriately for an era of paper records, but really didn't consider the improvements in care and efficiency and quality that could be realized by the sharing of health data in a secure manner through a health information exchange. ...
[As a result,] the implementation of electronic exchange of medical information is made extremely difficult. I think it puts in the forefront one of the other issues that you just mentioned - patient trust. In order to implement some of these systems, laws are going to have to be amended or, simply, the state is going to have to get involved in helping to implement these systems. Obviously lawmakers and policymakers have to be satisfied that privacy is going to be protected and security is going to be protected. And the public has to have enough of trust in how these systems are going to work so that they don't go to their legislature or go to their governors and try to get these programs blocked or stopped. ... Earning the public's trust is extremely important.
One of the things that needs to be done in terms of public education and public understanding is focusing on some of the really powerful benefits of electronic health information, electronic health records, e-prescribing and other kinds of systems in making care more available, in reducing medical errors and making the right information available at the right place at the right time to make healthcare better and more affordable. ... Breach notification - which is the law now - is very important in terms of transparency and providing an incentive for people to do the right thing. I just hope that at the same time it hasn't undercut public confidence that we can implement these important systems in the right way and do it while protecting privacy and security.
HIPAA Compliance Audits
FIELD: HIPAA compliance audits are coming this year. What are the most important steps that healthcare organizations can do to prepare for the audits?
SZABO: ... One of the first things that happens with a government security audit is they have a checklist of standard questions, and the first thing they want to know is who's the security officer, or, if you don't formally have a security officer, the person who's in charge of information security. The second thing they want to see is when was the last time you did an assessment of the risks of information security that your organization faces and how you've mitigated those risks.
Then they want to look at what are your policies and procedures, what are your administrative steps, the rules that you've followed; what are the physical safeguards that you've implemented, what are the technical safeguards that you've implemented across your system at workstations and for portable devices for access control - basically HIPAA security 101.
The issue is, can you document that you have been doing those things and that you've been training your employees to those rules? If you're familiar with the security rule, it really then is a matter of blocking and tackling, lining up the tasks that need to be done and taking care of them and demonstrating that you've been doing that to the government. If you can't demonstrate those things, if you don't have policies regarding portable devices, if you don't have policies regarding technical safeguards, it's going to become apparent very quickly to the government that you're just not taking information security seriously and you're not really ready to survive an information security audit.
It's really a question of marshalling the resources, having the commitment from the top of the organization to follow through and develop a program that's suited to your organization and then show you've been communicating that to your employees and requiring training and actually implementing those policies in the real world.
Unfortunately, there's no magic formula for it. It requires effort and resources, but I think it's a challenge that organizations can make if they plan ahead.