SAN FRANCISCO – Ali Pabrai said it best at this week’s fifth national HIPAA Summit West at the Grand Hyatt in downtown San Francisco.
Leading off Day 2 Wednesday, September 21, Pabrai, a data security expert, said 97% of chief information officers are concerned about data security.
“My question is, ‘Who are these other three percent?’” Pabrai asked to the loudest laughs of the week among the hundreds of attendees.
Pabrai, MSEE, CISSP (ISSMP, ISSAP), of HIPAA Academy and ecfirst out of Newport Beach, CA, delivered a message that resonates with HIPAA privacy and security officers: Everyone, especially those in healthcare charged with protecting the privacy of patient information, needs to be concerned about data security.
The numbers at the HIPAA Summit this week told the story:
- 1 in 4: Organizations reporting a data breach (Pabrai)
- 250,000 to 500,000: Medical identity thefts (Pabrai)
- 330: Organizations reporting a breach of unsecured protected health information (PHI) affecting 500 or more individuals since September 2009 (Office for Civil Rights, or OCR)
- 34,000: Number of reports of breaches submitted to OCR affecting fewer than 500 individuals (OCR)
From how and from where the 500-or-more breaches are coming:
- Theft: 50%
- Unauthorized access disclosure: 20%
- Loss: 16%
- Hacking/IT: 7%
- Paper records: 24%
- Laptop: 23%
- Desktop computer: 17%
- Portable electronic device: 16%
- Network server: 10%
In August, McAfee reported that hackers broke into the United Nations data system and hid there for two years unnoticed, Pabrai said.
“How do we know that someone isn’t hiding in our systems, and how long have they been there?” Pabrai asked the audience. “Do we have appropriate controls? What is the state of our information security?” Do you have intrusion protection and intrusion prevention in place?
“This is not just a compliance issue,” Pabrai said. “This will have significant risk to the organization and will impact your facility in the seven figures.”
Too many duties
So what are the struggles today for privacy and security officers?
In some cases, many in these roles are performing too many tasks. For example, the privacy officer is also the health information management director, the security officer is also the compliance officer, or the compliance officer handles privacy complaints.
These dual roles, if possible, should be avoided, said Phyllis A. Patrick, MBA, FACHE, CHC, president, Phyllis A. Patrick & Associates, LLC, Purchase, N.Y.
In many organizations, the compliance officers have been given the role of privacy officer, but Patrick said they’re different roles with different regulations.
“I don’t advocate that the compliance officer also be the privacy officer,” Patrick told the audience Wednesday, though she does recognize many smaller facilities have to do so.
Policy on policies
What suffers when privacy and security officers are doing too many things? Policies and procedures that don’t get updated or delivered and staff members who are not properly educated on them.
In some cases, like in the case with the Pittsburgh Pirates and social media, they were never written.
Angel Hoffman, RN, MSN, corporate quality/compliance officer, Kane Regional Medical Centers and principal, Advanced Partners in Health Care Compliance in Pittsburgh, told the audience Wednesday the Pittsburgh Pirates fired someone for inappropriate Facebook posts about the organization.
But the Pirates did not have a policy for social media use, and because of that, had to rehire the employee.
Hoffman said organizations must have a sanctions policy along with everything else because what good is a policy without enforcement, she asked?
Remind employees that when something’s written, it never goes away, Hoffman said. Organizations cannot ban social media use among its employees, but they must have a policy for it and educate employees on the consequences of inappropriate posts.
Even OCR says you need to have strong policies.
“Make those real,” Michael Leoz, OCR deputy regional manager in San Francisco, told the audience Tuesday, referring to HIPAA privacy and security policies and procedures. Don’t just have them sit on the shelf.
In the case involving a laptop left on a subway by a Massachusetts General Hospital in Boston employee, Leoz said OCR found the policies and procedures that were in place were not adequate for HIPAA privacy and security compliance. This led to a $1 million settlement and a corrective action plan.
And what good are a policy and an education plan if your senior management and board members aren’t behind you?
One such HIPAA privacy officer at the Summit said he does not have that problem. He told us a great story dispelling an accepted belief that hospital boards are not engaged in HIPAA compliance issues.
When the officer rolled out some online learning to his staff at his large healthcare system, he got his first notification of a completed quiz 20 minutes later.
From whom? The chairman of the board of the directors for the hospital system. And that’s the same chairman with whom this privacy officer meets monthly.
Disengaged? Hardly. At least not at this facility.
HIPAA audits coming
That’s a good thing because OCR – or least its contractor, KPMG, LLP — could come knocking starting this fall and into next year thanks to the $9.2 million auditing plan out of the HITECH Act.
Leoz of OCR said the audits will review covered entities’ approach to HIPAA compliance. He said the audits would lead to more preventative measures entities can take rather than creating a reactive culture. Leoz added there would be an increased potential for learning among covered entities because of these audits.
About 20 to 25 covered entities will be part of a testing phase.
“We’re going to try to look at different types of covered entities,” Leoz said. OCR’s contractor will look for what programs different kinds of covered entities have in place.
“We will give an advance notice of the audit,” Leoz said. “There will be a comprehensive data request and some on-site visits from OCR contractors who will interview covered entities’ staffs.”
2012 – and down the road
As for your organization’s HIPAA 2012 and beyond compliance efforts?
The important information security ventures for an organization in 2012 will be encryption, encryption and encryption, Pabrai said.
And right behind encryption? Authentication.
William R. Braithwaite, MD, PhD, “Doctor HIPAA,” chief medical officer, Anakam, Inc., said at the Summit the healthcare industry needs to have strong authentication. It needs to be multi-factor authentication for patients who want remote access to their records.
For instance, have patients enter a username/password, then send an alert from that log-in that goes to a cell phone to give the patient another code for access.
And as for tracking who’s looking at what, that can’t be a generic effort, Pabrai says.
“There are too many generic accounts across the industry where you cannot trace an action back to an individual,” Pabrai said. “The user has to be able to trace things back to individuals, and you just cannot do that with generic accounts.”
And don’t forget social media, Pabrai said, because hospital employees can transmit information across a 3G or a 4G network and not through an organization’s firewall system.
“You may take a photograph now, and you’re transmitting that information about patients across a network structure that even the best organizations with the best security controls cannot” protect.
Social media, Pabrai said, is an “area of significant challenge.”
Hopefully it is for those three percent Pabrai mentioned as well.