Security: healthcare’s fixer-upper
June 4, 2014 in Medical Technology
And sometimes, as Lynn Sessions, partner at BakerHostetler, who focuses on healthcare privacy, hears from her clients, it’s a matter of a single unencrypted device slipping through the cracks of an entity with otherwise strong encryption policies: “We are encrypting 99.9 percent of our ‘fill in the blank’ devices, but this one slipped between the cracks because it fell outside of the normal procurement process, or it was a biomedical device or it was used by the marketing department because they use Apple computers versus PCs,” said Sessions. “Organizations have loopholes,” and therein lies the breach potential.
And lastly, IT departments are just plain swamped, dealing with myriad projects and limited staff, time and budget to handle them. They can’t be superheroes all the time. Providers are getting to the breaking point. Sometimes, projects have to be put on the back burner, and in many cases it turns out to be privacy and security. But listen up, IT folks: this just may end up costing you more in the end.
Paying a pretty penny
Be certain of one thing: Data breaches come at a premium.
To date, OCR has levied more than $25.1 million in monetary fines against healthcare organizations found to have violated HIPAA privacy and security rules.
Sure, not all groups are slapped with federal penalties, but don’t let that ease any worries; the associated costs can often end up trumping government fines.
You have to consider the legal fees, internal investigations, credit monitoring provisions, outsourcing hotline support in addition to the external investigations. And these dollar signs can sure pile up.
A March report by the privacy research firm Ponemon Institute, for instance, pegged the cost of healthcare data breaches at a towering $5.6 billion annually, industry-wide.
Drilling into the numbers further, healthcare organizations can anticipate handing over $2 million on average over a two-year period. (The lowest two-year costs were pegged at $10,000.) That’s even a 17 percent decrease from costs seen since last year, Ponemon officials noted, which can be partly attributed to the slight downtick in the number of HIPAA breaches reported by organizations compared to 2012.
So, your organization had a HIPAA breach, didn’t get hit with a federal fine and came out relatively unscathed with associated costs. Not too bad, right? Not necessarily.
In addition to HIPAA, there’s also the state and regional fines that can get you rethinking how privacy and security is done.
Managed care giant Health Net will tell you a little something about those. The Woodland Hills, Calif.-based health insurance company learned its business associate IBM had lost nine unencrypted server drives on January 2011. The servers contained the Social Security numbers, names, addresses and health information of Health Net employees, members and providers.
They may have dodged federal fines, but that didn’t deter two state attorneys general offices from filing suit against the company. Ultimately, Health Net was required to hand over $625,000 in fines and damages to the Connecticut attorney general and the state insurance commissioner. What’s more, a year later, the company also announced a settlement with Vermont’s attorney general, to the tune of $55,000.
In the realm of patient privacy and security, it’s judicious to consider the medical identity theft and fraud landscape. The more laissez-faire healthcare organizations are in protecting patient data, the higher the chance of fraud.
“Having that much information, storing it all in one place,
? leaving it unencrypted, hiding it behind weak or default passwords,
that would be wholly unacceptable in the financial industry.”
“To give you an example, in 2010 if you received a data breach notification, there was a better than one in 10 chance that you would also be a victim of fraud. In 2012, the correlation jumped to one in four,” said Al Pascual, senior fraud and security analyst for Javelin Research, in an interview with Healthcare IT News last year, discussing a fraud case study report.
Topics: Network Infrastructure, Privacy and Security, Department of Health Human Services (HHS), IBM, Peel, Deborah, Halamka, John, Electronic Health Record (EHR), Kaiser Permanente, Mayo Clinic, Meaningful use, Beth Israel Deaconess Medical Center (BIDMC)