Guest post by Stephen Cobb, senior security researcher, ESET.Stephen Cobb
Whatever you thought of President Obama’s penultimate State of the Union address, you have to admit it set some sort of record for the most words devoted to issues of data privacy and security (198 by my count). Furthermore, those words alluded to a raft of statements and announcements on these topics that were published in the days leading up to the speech. In short, it is clear that this President wants to make some changes with respect to cybersecurity and data privacy. What is not yet clear is how those changes will affect healthcare IT and the management of electronic health records. Will breach notification requirements change? Will penalties for breaches be increased?
The answers are not entirely clear at the moment. For a start, the President is a Democrat, but Republicans control the House and Senate. In other words, it is hard to know which of his proposals will be enacted. That said, it is better to look at them now and ask questions, engaging in the debates they are bound to provoke rather than wait and see what new laws finally emerge. For example, the President proposes to erect a single national 30-day data breach notification law in place of the scores of different state data laws that companies currently have to comply with. How will that affect electronic health records?
The answer may be “very little” and that could be good news for electronic health records and health IT. In its current form, the proposed Personal Data Notification & Protection Act does not disrupt existing federal notification requirements related to health data breaches. The draft legislation does not apply to HIPAA covered entities and business associates, nor the FTC covered vendors of personal health records. Here is a boiled down version of the current language which I have put in quotes to show it comes from the bill: “Nothing in this Act shall apply to business entities to the extent that they act as covered entities and business associates subject to the HITECH act (section 17932 of title 42), including the data breach notification requirements and implementing regulations of that act. Nor will it apply to business entities to the extent that they act as vendors of personal health records and third party service providers subject to the HITECH act.”
If the law were to be passed with that language intact, it would leave in place what many of us still think of as the HIPAA 60-day notification deadline, as well as the FTC 30/60-day PHR regime. And when you’re trying to comply with a regulatory regime, a lack of change can be good. Another way of looking at the breach notification issue is that the healthcare sector, while often maligned for leaking data, is actually a pioneer in notification. The HIPAA privacy and security requirements were in play even before California passed the first of the state breach notification laws, which now exist in some form in more than 40 states (creating the patchwork regulatory nightmare that the President’s unified federal law seeks to dissolve).
The healthcare industry has lived with the OCR “wall of shame” for more than five years now. And that wall has given us a way to measure the problem that does not exist in other industries. Consider the number 24,800. That’s how many HIPAA-protected records were exposed per day in 2013, according to my calculations using the OCR data. I think everyone would agree that number is too high, but compared to 145,000, it is pretty small.
That big number is about what you get when you divide the number of records exposed in 2014’s biggest retail hack (The Home Depot) by 365. Or how about 208,000: the number of households affected by the 2014 JPMorgan Chase breach, divided by 365. When you look at the numbers like that, the EHR sector does not look quite so leaky.
Of course, one could argue that medical record exposure is potentially more damaging than financial account compromise. I would agree, but consider this: retail and financial sector breaches are almost always the result of criminal intent. The same is not true of many of the numbers on the OCR wall of shame. Not that there is any cause for complacency. Criminal attacks on health records are on the rise. But here again, the State of the Union had some good news: plans to beef up the cybercrime laws. After all, breach notification imposes a burden on organizations that are also, in many cases, victims of crime, like data theft. In the long run, a more effective approach to cybercrime deterrence, one that drastically reduces the number of criminally motivated breaches, would be a bigger win for data privacy and security than any breach notification legislation could achieve.