Guest post by Stephen Cobb, senior security researcher, ESET.
Whatever you thought of President Obama’s penultimate State of the Union address, you have to admit it set some sort of record for the most words devoted to issues of data privacy and security (198 by my count). Furthermore, those words alluded to a raft of statements and announcements on these topics that were published in the days leading up to the speech. In short, it is clear that this President wants to make some changes with respect to cybersecurity and data privacy. What is not yet clear is how those changes will affect healthcare IT and the management of electronic health records. Will breach notification requirements change? Will penalties for breaches be increased?
The answers are not entirely clear at the moment. For a start, the President is a Democrat, but Republicans control the House and Senate. In other words, it is hard to know which of his proposals will be enacted. That said, it is better to look at them now and ask questions, engaging in the debates they are bound to provoke rather than wait and see what new laws finally emerge. For example, the President proposes to erect a single national 30-day data breach notification law in place of the scores of different state data laws that companies currently have to comply with. How will that affect electronic health records?
The answer may be “very little” and that could be good news for electronic health records and health IT. In its current form, the proposed Personal Data Notification & Protection Act does not disrupt existing federal notification requirements related to health data breaches. The draft legislation does not apply to HIPAA covered entities and business associates, nor the FTC covered vendors of personal health records. Here is a boiled down version of the current language which I have put in quotes to show it comes from the bill: “Nothing in this Act shall apply to business entities to the extent that they act as covered entities and business associates subject to the HITECH act (section 17932 of title 42), including the data breach notification requirements and implementing regulations of that act. Nor will it apply to business entities to the extent that they act as vendors of personal health records and third party service providers subject to the HITECH act.”
If the law were to be passed with that language intact, it would leave in place what many of us still think of as the HIPAA 60-day notification deadline, as well as the FTC 30/60-day PHR regime. And when you’re trying to comply with a regulatory regime, a lack of change can be good. Another way of looking at the breach notification issue is that the healthcare sector, while often maligned for leaking data, is actually a pioneer in notification. The HIPAA privacy and security requirements were in play even before California passed the first of the state breach notification laws, which now exist in some form in more than 40 states (creating the patchwork regulatory nightmare that the President’s unified federal law seeks to dissolve).
Guest post by Stephen Cobb, senior security researcher, ESET.
HIPAA’s privacy and security rules are often labeled as being burdensome and restrictive. The rules are increasingly criticized as ineffective and people wonder how an organization can be HIPAA compliant and still suffer a breach of protected health information.
A medical approach to answering that question might be to think about infection prevention and control. Infection control protocols exist to prevent the spread of infectious diseases. However, a patient can get infected at a hospital or clinic that has such protocols in place. The reasons for such anomalies include lapses in conformance to the protocol and inappropriate protocol relative to potential infection vectors.
Such language maps closely to the demands of healthcare data protection, which could be described as the prevention and control of unauthorized access to protected health information. Clearly there is a need for healthcare organizations and their employees to fully comply with “policies and procedures that are appropriate to the threats.” Getting people to comply requires organizational commitment from the top down, backed by the adequate equipping and educating of staff at all levels.
But what if those policies and procedures are not appropriate to the threats? What if the infection vectors are different from those you trained to defend against, or the threat agent more virulent than you supposed? That’s where a lot of health data security breaches occur, in that gap between established practices and emerging threats. The difference between being “HIPAA compliant” and “secure” often comes down to underestimating threats. Continue Reading
By Stephen Cobb, senior researcher, ESET North America.
The benefits of making health records available electronically would seem to be obvious. For a start, faster access to more accurate patient information – which is one of the promises of EHRs (electronic health records) and HIEs (health information exchanges) – could save lives. The author of a recent report on the many thousands of lethal “patient adverse events” that occur in America every year, Dr. John T. James, pointed to “more accurate and streamlined medical recordkeeping” as a top priority in the effort to reduce these deadly medical errors. Yet headlines about healthcare facilities exposing confidential patient data to potential abuse have been all over the media this year. So, will security issues and privacy concerns stymie EHR adoption or slow down HIE rollouts?
Today, more than half of all Americans probably have at least some part of their medical record stored on computer. In January, the CDC reported that roughly four out of five office-based physicians are now using some type of EHR system, up from one in five in 2001. A few months later, in a Harris poll sponsored by ESET, only 17 percent of adult Americans said that, to their knowledge, their health records were not in electronic format.
During that same survey of 1,734 American adults, we asked “are you concerned about the security and privacy of your electronic patient health records” and 40 percent said they were. Slightly more of them, 43 percent said they were not. However, if we take out the 17 percent whose records were not in electronic format, the “concerned or not?” question breaks down as 48 percent Yes, versus 50 percent No, a statistical tie.