The revelation this week that a Community Health Systems, Inc. patient data breach affected 4.5 million people was difficult to accept.
What’s harder to accept is that it was caused by Heartbleed, a well-documented, headline-grabbing OpenSSL data security vulnerability that opens up legacy systems to hackers. Through the back door Heartbleed creates, thieves can decrypt login credentials and run wild through data systems. Legacy systems are vulnerable because they’re no longer getting security updates. Whoops! Sorry, patients, even though this was all well known, we chose not to address it.
Sources we talk to explain the reasons these situations happen in U.S. healthcare, most are nested in cost arguments. Because legacy systems are stable, in the IT sense, providers worry about disturbing employee workflows if they were to upgrade to newer applications. Huge data migration costs of switching to new billing, coding, research, lab, radiology, EHR, and other data systems also come with new data systems. And only the richest health systems have the capital to stay current with IT, as payers tighten already thin margins and CFOs veto new purchases by saying “if it ain’t broke, don’t fix it.” The list of “whys” goes on, including vendor indifference to old products. They’ve moved on, and they want providers to, too, whether they can afford it or not.
Somehow, we’re imagining the 4.5 million Community patients are unlikely to accept those arguments as valid. Also, we’re guessing the folks in charge of cleanup and remediation would attest that it’s way more expensive to fix the situation now than it would have been to update their legacy system before Chinese hackers put their organization in the news. And made them subject to HIPAA fines, inspections and audits down the road. And extremely public scrutiny on their network architecture and data security compliance risk mitigation plan — and checkups on how they’re executing it.
The marketing and media relations staff likely aren’t happy with the fallout from the breach, either, as they try to assure patients that things will be okay, and attempt to persuade them not to go to other healthcare providers.
Fortunately, for healthcare providers who take this week as an omen or, perhaps inspiration to look over their own compliance strategies on both the patient privacy and data security sides of the HIPAA coin, there’s a way to get current information from the top authorities in the country: The Safeguarding Health Information conference Sept. 23-24, jointly sponsored by the National Institute of Standards and Technology and HHS’s Office of Civil Rights. Together they will present strategies for securing EHRs, building tight business associate agreements, implementing encryption, locking down mobile devices, advice for CIOs to convince fellow c-suite dwellers to invest in HIPAA compliance, patient data security in the cloud, and many other related topics.
While the event will take place in Washington, D.C., it will also be webcast live. So there’s no excuse to miss it. None, whatsoever.