As health care record breach statistics spike, and hackers and fraudsters find more and more complex and creative ways to make money off of private health information, some have asked if the current Federal approach to monitoring Health Insurance Portability and Accountability Act (HIPAA) compliance is sufficient.
The Track Record
The Department of Health and Human Services’ Office of Civil Rights (OCR) said between the 2003 launch of the Privacy Rule and Dec. 31, 2015, the agency has received more than 125,445 HIPAA complaints and has investigated and resolved 96 percent of them. Twenty-nine of those cases settled for a total of more than $27 million.
Over the course of that time, OCR has investigated complaints against national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices, discovering the incidents mainly fell into these categories, in order of frequency:
- Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Lack of patient access to their protected health information;
- Lack of administrative safeguards of electronic protected health information; and
- Use or disclosure of more than the minimum necessary protected health information.
In addition, the dangers are increasing. An article recently published in the MIT Technology Review said hackers are homing in on hospitals, with a 600 percent increase in cyberattacks in that industry over the course of 2014, according to researchers at the security firm Websense.
Efforts to Change Things
The Federal government, in its various forms, has made many efforts to tighten things down when it comes to cybersecurity. Should the Federal government bring cybersecurity under one umbrella agency, as was recently proposed by Republican presidential candidate Ben Carson? The Federal government has been posturing in this direction. On Feb. 24, OCR announced a crosswalk developed with the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health IT (ONC), that identifies “mappings” between the NIST Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) and the HIPAA Security Rule. The crosswalk also includes mappings to other commonly used security frameworks.
Under the George W. Bush and Obama administrations, the White House has made efforts to unify cybersecurity efforts under the Comprehensive National Cybersecurity Initiative, while Congress continues to propose a steady stream of cybersecurity laws that only raise more concerns about how to balance the individual’s right to privacy with the protection of the common good.
What Does the Private Sector Say?
But even as lawmakers and regulators wrestle with ways to better secure personal health information, some in private industry recognize the Federal government’s limitations.
Having a single Federal cybersecurity agency would not make a difference, says Charles Weaver, CEO of the International Association of Cloud & Managed Service Providers (MSPAlliance), which has been instrumental in helping Federal agencies and European nations address cybersecurity issues. Weaver said governments only see the tip of the iceberg on the issue because private industry releases a limited amount of what they know to governments. “Right or wrong, that’s just reality,” he says.
Weaver said a better alternative would be to find a way to encourage information sharing between the private and public sectors on how to stop breaches and cyberattacks; to share what they’ve learned from incidents they’ve encountered. “That would a tremendous value,” he says.
Robert Lord, CEO of Protenus, a Baltimore-based health care security company, said health care records are becoming increasingly enticing to insider threats and other attacks, with an entire medical record selling for $1,000 on the black market, far surpassing $25 for a Social Security number. Medical records can be used for blackmail, insurance fraud, and abuse ad targeting, to name a few. Since medical records replicate so much of a person’s life, a thief can do a lot of malicious damage, he says.
When it comes to the idea of a single government umbrella for cybersecurity, “the devil is in the details,” Lord says. Fundamentally, cybersecurity agencies are needed at all local levels, he adds.
James Bindseil, CEO of Globalscape and veteran of a decade of cybersecurity consulting, said a unified government approach “wouldn’t help at all.” Though he has known Federal agency cybersecurity experts to include “some of the brightest minds,” they already have their hands full protecting their own environments, he said.
Bindseil said when it comes down to it, the protection of medical records falls into the hands of the front line–health care providers. Some of them do not know enough about how to keep the records safe; and some opt not to invest in more secure methods because of tight margins, and the return on investment doesn’t appear to be there for them.
Greg Douglas, who leads Yorktel’s public sector team, said from a personal point of view, the construction of a new agency would need to have a very clear mission to avoid redundancy.