By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
Not a day goes by (or many posts on The Pulse Blog) without a discussion of the rapid increase in data breaches impacting the healthcare industry. Information and statistics in this regard are inescapable. For instance, the so-called “Wall of Shame,” which is the public posting of breaches, recently crossed the 2,000 breach threshold. The Wall of Shame first came online in 2009 and took almost five years to hit the 1,000 barrier, but just another 3 years to hit 2,000. Clearly, the data show more breaches are happening and more frequently.
The previous statement about more data concerning breaches though is a fairly recent development. While the Wall of Shame has now been around since 2009, there has not been a consistent, comprehensive source for information about healthcare data breaches. Sources are developing though, with the Protenus Breach Barometer being one of my favorites. The Breach Barometer is typically published on a monthly basis and highlights totals of known breaches from the previous month. Tracking the Breach Barometer reveals trends, which were highlighted in the recent mid-year Breach Barometer.
The highlights from the mid-year Breach Barometer are that insider issues and hacking incidents account for the vast majority of incidents. Insider issues can be broken into two large categories: inadvertent mistakes and malicious activities. The inadvertent mistakes could be sending to the wrong address, an email error or some other unintentional act. To some degree, the inadvertent mistakes are unavoidable because no one can be perfect. A key with an inadvertent mistake is to catch the problem early, which can enhance the impact of any resulting mitigating act. While inadvertent mistakes are arguably a part of human nature, preparing individuals with comprehensive, consistent and ongoing education and training may reduce the risk. When individuals are aware of an issue and know how to address it, the likelihood of occurrence can be reduced as well as building in a natural response.
The second side of insider breaches, malicious intent, is harder to control for because, as the name implies, the individual has some bad intent that will motivate attempts to get around defenses. When malicious intent is present, the individual is clearly trying to profit individually or through organized efforts. The bottom line though is a willful disregard for an organization’s policies and the requirements of law and regulation. Awareness of the growing number of malicious intent incidents is the first step in combatting and stopping or preventing. Up until a couple of years ago, stories that individuals were stealing medical information to sell for profit or otherwise taking advantage of trusted information were rare. Unfortunately, that is no longer the case. Multiple times per year a story of a criminal prosecution or other outcome are reported. Further, malicious intent breaches can often take the form of a “small” breach where only one or a few individuals have their information accessed. Many times, such breaches are done because the individuals know each other, or some personal relationship influences a decision. Small breaches were well-documented in a December 2015 ProPublica article, but it is unclear what, if any, change has resulted.
Even though the malicious intent is designed to elude preventive efforts, tools and methods do exist to help address. For instance, organizations would be well advised to regularly monitor and audit medical record access. Such efforts are arguably easier for electronic medical records because a log file is often present and some portions of the review can be automated. However, it is unclear how well such efforts are undertaken. Additionally, specific records, such as a “V.I.P.” patient, could be reviewed when a higher degree of concern could be present. Ensuring access is appropriate is a baseline requirement under HIPAA, so the organizational ask is not going too far.
Hacking, the other major reason for an increased number of data breaches is harder to address. Suffering a hacking attack is largely beyond a single organization’s control. It is a sad but true reality that hackers and other outsiders with bad intent are likely more sophisticated technologically. While the disparity may exist, organizations should not resign themselves to being hacked. Intrusion can be made more difficult by implementing countermeasures, regularly updating and being proactive. Further, no organization should be deluded that it is too small to be attacked. Practices of all sizes, whether single practitioners to multi-state systems, have been attacked and will continue to be attacked.
Despite the increasing frequency of attacks and reports, it is a time for optimism. Why is optimism justified? Because data breaches (though usually just hacking or ransomware) garner major news headlines and are a topic of frequent discussion. Additionally, more sources are quantifying, examining and breaking down the breaches. As such, the explosion of healthcare data is not just the medical information, but how that information is being used and how it is vulnerable. As more analyses are conducted and distributed, all will benefit. A data breach is not suffered by an organization alone and quiet, but, for better or worse, out in the open. The ability to collectively learn from each incident is one of the reasons for optimism about the future. The first step to doing something is to be aware.
What will happen in the future? No answer can be known today. However, my honest feeling is that healthcare as an industry and organizations as individuals do care about protecting healthcare information. No one is satisfied with a reality where more than one breach per day is occurring. Such consistent failings of trust are not acceptable, especially when that reality can be influenced through easily controlled actions. It is easy to complain and highlight the issues without applauding the everyday work that is improving the situation. It is important not to forget the progress that has been made and the efforts that are ongoing. It is impossible to expect that all breaches will be stopped, but we should at least bring the number down and that groundwork exists.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.