In February, healthcare breaches exposed data on 2 million people.
We live in a world where we are forced to make fraught decisions about our data privacy and security. We weigh the chances of an adverse event occurring and its potential damage against other factors, like application usability or access to data needed to perform a business operation. In recent years, new healthcare privacy and security challenges have proliferated because of the industry’s greater reliance on technology and the move to data-driven value-based decision-making. We need to recalibrate our risk perception.
Computer hackers have gotten much more sophisticated. Bad actors now include highly organized attacks by nation-states and technically-skilled criminal organizations. The dramatic rise in the value of stolen health data along with increases in ransomware and other attacks have exposed the security weaknesses of many covered healthcare entities. As the importance of data and data sharing increases, securing that data becomes paramount. We are not keeping up.
New industry players entering the health space from the IT, retail and financial services environments also complicate data security. While these companies promote the use of more diverse sources of data to support payment and care decisions, healthcare policies currently still built around HIPAA Security and Privacy rules are not changing fast enough to meet the challenges of non-traditional data and entities not covered by HIPAA.
The first major healthcare data security policy change in recent years was the 2009 HITECH Act which broadened the responsibilities of business associates for safeguarding protected health information (PHI) and strengthened the Office of Civil Rights’ (OCR) enforcement ability.
In 2015, Congress passed the Cybersecurity Act. Section 405 of that Act requires HHS to take greater responsibility for ensuring industry’s compliance with privacy practices and providing for improved information sharing between public and private sectors. HHS also formed a public-private taskforce, that issued a comprehensive report to Congress in 2017. The report contained many recommendations on how to improve healthcare security.
Other recent HHS efforts to tackle privacy and security challenges include:
- Last December HHS published a best practices document for healthcare industry players on ways to practice better security “hygiene”.
- The OCR side of the HHS issued an RFI containing questions aimed at possibly modifying the HIPAA Privacy and Security Regulations to meet the changes in the industry.
- The CMS and ONC February 2019 NPRMs on interoperability also touched on several security and privacy issues, including the patient identifier.
- FDA has become more active in looking at medical device security.
Other Federal agencies, including Homeland Security and NIST, are also supporting the HHS efforts. Bottom line: Significant policy changes and industry education efforts have increased, but more needs to be done if we are to meet the demands of the present environment and emerging threats. In my next blog I will address some necessary next steps from my perspective.