As industry leaders met at the iHT2 Health IT Summit in New York City, Bruce Metz, senior vice president and chief information officer of Lahey Clinic, and member of the iHT2 advisory board, joined SearchHealthIT.com to discuss data breaches and securing data.
Data breaches, in some fashion, are almost inevitable with the onslaught of mobile devices being used in health care facilities. How do hospitals and providers create contingency policies for cases in which they simply could not prevent or have foreseen a potential theft or breach?
Bruce Metz: It is important for hospitals and any organization that stores sensitive information to have a response plan in place. The response plan should also be practiced and updated throughout the year, as new threats and events surface. There are a number of useful tools to help hospitals and providers develop an effective response plan; some of the most useful tools are: (a) NIST Special Publication 800-61 Rev. 2, (b) the AICPA Incident Response Plan, and (c) the North Carolina Healthcare Information & Communications Alliance, Inc. (NCHICA) Breach Notification Risk Assessment Tool.
Is there a limit to the organization’s liability?
Metz: Under the 2009 HITECH Act, covered entities face a maximum fine of $1.5 million per year, plus other potential sanctions from state attorneys general and class action litigation. The case law on this topic is still evolving, but rest assured that covered entities are incurring fines in the hundreds of thousands of dollars, and providers should regularly check with their legal counsel.
Where and what kind of breaches are most frequently occurring these days in hospital settings?
Metz: In general, based on [Centers for Medicare & Medicaid Services] CMS-reported breach data, from an electronic perspective, lost/stolen laptops are the most common sources of reported breaches, representing over 110 of the over 480 reported breaches.
Is hardware or software protection more important?
Metz: User training and education is the most important aspect in stemming the tide of electronic breaches. However, from a risk mitigation perspective, encryption of patient data is the only activity that provides safe harbor in the event a device storing patient data is lost or stolen. The HITECH Act is very specific about the type of encryption that qualifies for safe harbor, but in general, any hardware or software encryption process that is FIPS 197 and or FIPS 140-2 compliant is key.
Is data encryption the strongest or best protection for complying with the Health Insurance Portability and Accountability Act (HIPAA)?
Metz: Actually, HIPAA does not require encryption and an organization can be HIPAA compliant without using encryption. The strongest/best method for complying with HIPAA is to have an active risk assessment program and to vigorously follow its recommendations.
What do you advise providers do when creating HIPAA compliance policies?
Metz: The most important step is to begin the process with a defined risk assessment program, which takes a broad view of risks to the organization. A second key step is to use one of the industry leading standard risk frameworks. For example, Lahey uses the HITRUST Alliance Common Security Framework as the basis for developing HIPAA compliance policies and other key components of our IT security and risk management program.
Organizations are looking to the cloud as a possible answer to storage issues, but security and data vulnerabilities keep providers away from integrating cloud services. Is the cloud a truly secure place for health care data?
Metz: The cloud can be a safe place for storing health care data. The most efficient way to determine if a cloud offering is a viable approach is to investigate the cloud vendor's willingness to sign the provider's business associate agreement.
Patient engagement and information exchange are both significant components of meaningful use stage 2. Are there efforts to encourage patients' efforts in protecting their own data?
Metz: As patients have increasing access to their electronic information, providers will have to develop communications that help patients understand how to keep their electronic information secure.
How do providers bring together all the stakeholders to ensure information is secure?
Metz: Ensuring that patient information is kept secure, as that information is extended through health information exchanges (HIEs) and patient portals will require vigilance and close collaboration among a number of provider departments. Moreover, this will require providers to once again conduct and keep current their risk assessments and to carefully implement risk mitigation approaches suggested from the risk assessment process.