Just a few weeks ago, Lincoln Medical and Mental Health Center learned a hard lesson. If you didn’t see the news reports, the N.Y.-based healthcare provider notified over 130,000 individuals that their records — including diagnostic information, Social Security numbers, dates of birth, and other information of use to identity thieves — was potentially lost.
The total impact to the institution is difficult to quantify. Obviously no organization wants the negative press. It’s the kind of thing that loses patients and makes the institution less appealing when trying to attract physicians.
Despite the hard hit in the public eye, the events leading up to it were actually somewhat pedestrian. It all started with a CD lost in transit via FedEx from Lincoln to Siemens Medical Solutions. Not so long ago, a lost CD would have been practically a non-issue — a few phone calls, a new burn of the disc, a resend of the package, and it would have been over. Most institutions, given this same set of circumstances, would have tried their level best to keep the details out of the public eye. But ever since the HITECH Act was signed into law in February of last year, it’s a different ballgame.
Under the breach notification requirements of the HITECH Act (Title XIII of the American Recovery and Reinvestment Act), lost or stolen unencrypted records such as these requires notification to Health and Human Services for the public posting of the institution to HHS’ “wall of shame,” or public list of breaches involving more than 500 individuals. If you go to the HHS website right now, you’ll see this incident listed there — along with an ever-increasing laundry list of other institutions in the same boat.
This very public example of HITECH in action underscores just one of the many ways that the law has altered the way that healthcare does business. While the full impact of the law won’t be seen for quite some time to come, we’re starting to see some radical changes in the way that hospitals approach security and compliance.
From a provider point of view, probably the biggest impact from a security and compliance standpoint stems from the relatively strict breach disclosure requirements within the law. Covered entities not only need to notify in writing the individuals whose data was lost, but they also are required to notify HHS of the data loss. In instances where more than 500 records are impacted, the situation is compounded: Not only are covered entities required to notify HHS sooner rather than later (the 500-record bar requires immediate notification of the breach to HHS), but they are also required to notify the press (i.e., “… prominent media outlets within the state or jurisdiction …”) of these large-scale breaches.
These requirements are a sea change from how the industry has handled breaches in the past. Serial hospital CIO Steve Tarr, president of healthcare consultancy Steve Tarr Consulting and author of Yes You! Yes Now! Leadership, points out just how new this is in the healthcare culture: “While most organizations have very effective public relations teams, I think media notification is a whole new world in a breach context.” He goes on to point out that providers are somewhat loathe to address the issues head-on because they’re still coming up to speed. “So many organizations I’ve worked with want to keep breaches hush-hush that they have not developed effective processes for events they hope will never happen,” he said.
However, covered entities are not alone in shouldering the burden of these more stringent rules. Business associates also have a role to play under the new provisions. Business associates now need to make sure that they report possible breaches to partners/customers and that they provide enough data for the covered entities to tell who was impacted and what type of data it was — in other words, enough data for covered entities to fulfill their disclosure obligations. Whereas in the past a breach might occur at a business associate with nobody at the covered entity the wiser, HITECH now specifically requires the business associate to notify their partner so that the individuals impacted can be apprised.
In addition to expanded disclosure provisions for business associates, HITECH also changes the landscape for them in that they now have a higher bar to meet in terms of their own security requirements. Under the law, business associates now have to meet the same bar as covered entities when it comes to the security rule. In the past, it wouldn’t be unusual for a provider such as a hospital or health system to have very aggressive security controls but then pass data off to business associates with lax or nonexistent security controls. Not so now.
How are vendors responding to this? From the covered entity’s perspective, Tarr says that the responses from vendors have been a mixed bag. “Some vendors are more on-the-ball than others and are very quick with their awareness and changes. Others don’t even see changes coming and are more reactive. It is a factor when selecting vendors,” he said.
Clearly, as applications move outside of the provider (for example, due to cloud computing) and more and more vendors move in to participate, rising numbers of vendors, hosting providers, and other service providers find themselves becoming “business associates” and inheriting security requirements that they’re unfamiliar with. Even vendors not specifically targeting the healthcare market may find themselves in the direct path of the regs and obligated to change how they do business in response. Vendors seeking to court healthcare clients will now need to pitch not only functionality but a compliance message as well.
So clearly the rules of security are changing. Since the requirements are new, it’ll take some time for everyone — covered entities and business associates alike — to get up to speed. But Tarr is convinced that, while the road might be difficult in the short term, most institutions are well-equipped because of the history of heavy regulation, “Healthcare is so highly regulated that compliance teams are accustomed to new rules from somewhere — all the time,” he said. “So from that perspective, HITECH is significant and fits right in.”
Ed Moyle is currently a manager withCTG’s information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner ofSecurity Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.