The HHS recently faced two HIPAA compliancy settlements that have given arise to questions surrounding the sufficiency of the current provisions surrounding data breaches. As the healthcare landscape rapidly evolved in the last 5 years, the governing regulations over data security, data privacy, and cyber security still lack the required measures of protection. The recent settlements, though small in size and affecting a minute amount of patients, bring attention to these measures and the new frontiers that HIPAA has yet to address.
For healthcare players, these settlements prove that even relatively small breaches can still result in tough federal sanctions or investigations leading to HIPAA penalties. As of May, close to 1000 major breaches were reported since 2009. These affected almost 32 million individuals and prove that the current HIPAA regulations are too lenient or outdated to keep up. Three key areas of concern that the HHS & providers nationwide should look to increase security efforts in include Data Mining, EHRs and Mobile Devices.
Data mining remains one of the most difficult areas for HIPAA to firmly stamp its authority over. Data transmission across the web and even over secure networks can easily be intercepted, tracked, and even sold to third parties who see the data as valuable. Many of the security issues surrounding data mining pose threats to both privacy and transparency. Due to many data mining companies not being liable under HIPAA, an individual’s data can be retrieved without any consent. The information derived from such data is intended to better healthcare outcomes, however it can also play a key role in other more malevolent purposes when used by third party purchasers.
With most consumers unaware of how their health data is being used, stakeholders have called for the following issues to be addressed:
- Urging congress to consider legislation provisions governing data mining access and use.
- Creating greater accountability for the stakeholders involved in data mining, as well as third parties whom use such data.
- Providing meaningful protection to the consumer and individuals whose data may be at risk.
- Considering new hosting and cloud infrastructures that are mandated to include encryption provisions and greater security over personal health data.
Electronic Health Records have been all the talk lately, especially with the problems faced in attesting to meaningful use. A more serious issue however, looms on the horizon for healthcare stakeholders and consumers utilizing EHRs – security. Many providers and payers have already voiced their concerns over the security risks surrounding EHR-adoption and are reluctant to implement meaningful use throughout their facilities. The fact of the matter is, as personal health records become digitized, they become highly vulnerable to various cyber attacks. Furthermore, once one provider’s data network is breached, thousands of individuals could be affected leaving not only health data exposed, but also financial and personal information too. The data is then sold on the black market, with an individual’s single record going for up to USD $500.
Mobile is the new frontier of healthcare, and it could become HIPAA’s biggest undoing. Mobile devices couple new threats with a new infrastructure that involves a multitude of stakeholders and vendors both health and non-health related.
The two recent HIPAA compliance settlements faced by the HHS involved stolen laptops are the first of many more to come from mobile device breaches if something isn’t done soon. While data transmission amongst mobile devices remains fairly secure and falls under similar regulation as other data sharing platforms, the mobility of the devices poses its biggest threat. As a result, loss or theft of an unencrypted mobile device has been the number one cause of major breaches over the last few years. “When individuals or when a medical center acquires a small practice where security technologies and practices are not embedded, there is a significant risk…” said cyber security expert Kate Borton when asked about the latest HIPAA breaches.
The onus falls collectively on all mobile device consumers, vendors and stakeholders to ensure that security risks surrounding mobile devices are eliminated. Consider the following in evaluating the security of mobile devices at use in your facility, practice or office:
- Conduct risk assessments over mobile access and connection.
- Encrypt all mobile networks and data transmissions.
- Develop strict protocols for users to follow when using a mobile device.
- Educate consumers and vendors of the risks mobile devices can pose to healthcare stakeholders.
With HIPAA desperately needing to increase their efforts across these new frontiers, further calls for greater protection and security should be directed to healthcare stakeholders versus governing bodies. Currently, healthcare providers spend 3% or less of their IT budgets on security. Many choose to barely meet the compliance standards already in place versus proactively battling any cyber risks HIPAA may not protect them against. These efforts are not enough, and the HHS should look to extend or reform HIPAA compliancy to include more stringent requirements governing issues like data mining, EHR security, and mobile device use. For healthcare stakeholders, one thing remains clear – the cost to prevent such breaches is far less than the cost of mitigation, regardless of its size.
PayerFusion Holdings advocates the use of HIPAA compliant data transfer on all of its devices when communicating with both internal and external parties. To learn more about PayerFusion's technology solutions click here or subscribe to our monthly Health Insights newsletter here.