I have used this blog to talk a lot about data security and how to prevent data breaches.  Several times I have referenced studies by Kroll’s Fraud Solutions division.  I was contacted by Brain Lapidus, chief operating officer for Kroll’s Fraud Solutions division, who has offered to share some very insightful information about how healthcare organizations can improve their data security measures.

As the healthcare industry prepares for a major shift to EHRs over the next several years, providers must take important steps to make sure their data security practices are in good health.

Protect outsourced data. Your organization must know exactly where and how your data is stored with all of your third party vendors. This includes service providers, like labs, as well as internal service arrangements like remote hosting or backup storage facilities. If the organization is considered a Covered Entity (CE) under HITECH, your Business Associates (BAs) are required to notify you if they have a breach. However, it is the CE’s responsibility to notify the individuals and the appropriate federal entities. Specifically:

• Know where data stored by BAs is physically located, particularly if it is going to an offshore facility – depending upon the laws of that country, the BA may be under no obligation to notify you in the event of a breach or to turn over evidence in legal discovery.
• If you haven’t already done so, make sure all of your BA contracts contain strong provisions regarding data privacy and security and detailed guidelines on what to do in the event of a breach. This should include proof of employee training and background checks – two fundamental aspects of a good security plan. Respondents to the HIMSS survey indicated that half did not require proof of employee background checks from third party vendors, and 40 percent didn’t require proof of employee training.

Make sure all portable media devices are fully encrypted. HITECH specifies notification in situations where the PHI that has been lost or stolen is “unsecure” – that is, PHI that has not been rendered unusable or unreadable through some means, generally through encryption. Full disk encryption, especially of portable media devices, is a valuable means of securing any and all sensitive information, and regulators are increasingly looking to encryption as a means to ensure compliance with privacy and security laws. For instance, Nevada has legislation that went into effect at the first of the year that, in general terms, requires the encryption of all personal data transmitted electronically, except via fax. In making the case for encryption, make sure organizational decision makers understand that “password protection” does not equate to encryption.  Kroll has had clients who thought they were covered when a laptop was stolen because it was password protected, but this is still considered unsecured data under HITECH provisions.

Train your staff. Employee training is the most important thing an organization can do to assure that its privacy and security policies are correctly implemented. The most successful organizations make training part of the culture as compared to those organizations who limit training to reviewing a manual and signing an agreement. Employees of healthcare organizations often have widely varying responsibilities and points of touch with patient data, so it’s important to construct a training program that is relevant to job function and level of sensitive data handling. We see many organizations make the mistake of not training employees on relevant new legal requirements, new security threats and other current topics. Simply learning how to detect a breach of information can be invaluable, given the notification requirements timelines under HITECH.

Plan for an event, and then test your plan. The HITECH act specifies that notification must occur “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.” Let’s face it – from the moment you uncover a breach, every second counts. That’s why all healthcare organizations are under pressure to develop and implement a breach preparedness and actionable incident response plan. But having the plan is not enough; in light of the rigorous requirements, it’s best to make sure the plan is thoroughly tested and frequently reviewed for updates in the event of changes within the organization. Testing may include a tabletop drill, in which all stakeholders are brought together for a “dry run” of the response plan in the face of a mock breach scenario. Additionally, don’t be afraid to study other organizations’ breach events and learn from the experiences of others, as these real-life cases can be great teachers.

Understand the complexity of breach response and notification requirements. Even though the new requirements are federal, your organization will still be required to comply with state laws that govern the breach of PII and PHI. Depending upon the number of affected individuals, among other variables, your notification requirements under HITECH (and other applicable state laws) could include notifying Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), local media, state attorneys general offices, as well as affected businesses. Missing deadlines could result in hefty penalties or fines. Clearly, notification is about far more than mailing a letter. Perform a little due diligence and prepare a list of possible vendors that can assist in coordinating breach response, crisis communication, and notification responsibilities. Depending upon the size and scope of the breach, sometimes bringing in outside help is essential to maintaining the day-to-day operations of the organization.

It is important to remember that, although the provisions that appear in the legislative text of HITECH are aimed at expanding the use of electronic records, most of the privacy and security provisions apply to both electronic and paper records. Whether an organization plans to go electronic or not, the pre-breach checkup will be essential in being compliant with federal and state regulations.

For more information on data security issues, visit www.krollfraudsolutions.com or check out the new Kroll blog “A Dialogue on Data Security.”

HHS has withdrawn the Interim Final Rule for Breach Notification for Unsecured Protected Health Information.  On the HHS website there is a notice that states:

The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009.  During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.

HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010.  At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations.  This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur.  We intend to publish a final rule in the Federal Register in the coming months.

Consumer advocates have criticized the HITECH breach reporting rules and point specifically to the “harm standard”.  The “harm standard” allows for healthcare organizations to determine if a breach of patient information presents a significant risk of harm to the individual(s).  Healthcare organizations would most likely perform a risk assessment to determine if the breach would presents a significant risk  in terms of financial, reputation or other harm to an individual.  Critics of the proposed rule say that allowing the healthcare organization to determine if the risk is significant and whether there is a need to disclose the breach would result in many breaches that will go undisclosed. Critics argue that the “harm standard” should be removed from the final rule and that all breaches should be disclosed.

I have mixed feelings on the “harm standard” and whether it should be included in the rule or removed from the rule.  On one hand I think the “harm standard” makes a lot of sense.  Assume a laptop is lost and it contains patient information (assuming the laptop was not encrypted) and then the laptop is returned 10 days later and it is also determined that the laptop information had not be accessed.  Under the “harm standard” most likely a healthcare organization will determine that there was no risk to the patients, who’s information was on the laptop, and therefore no breach notification would be required.  I would tend to agree with the determination to not disclose the breach because no patient information was accessed and no harm was done to the patient.

On the other hand, if a laptop is lost and it contained patient information and was not recovered then I believe that the breach should be disclosed.  Under the “harm standard”, a healthcare organization could perform a risk assessment and determine that the cost of reporting the breach was more then the risk to the patient and decide not to disclose the breach.  In this example I disagree with the “harm standard” and think it would be wrong for a healthcare organization to make the determination that the breach should not be disclosed.

As you can see the “harm standard” is not black and white.  In some cases it makes sense  and in others it does not make sense.  HHS will have a  challenge to revised the rule so that patients are properly protected but at the same time not every incident leads to a breach notification.

It seems like almost every week there is another report of a breach of personal health information.  A story over at HealthLeaders Media reports that The Medical Center at Bowling Green is notifying 5,418 patients of a theft of a computer drive.  The drive contained personal health information including:

patient’s full name, date of birth, address, medical record number, and physician name. Some patients’ records also include Social Security numbers, weight, height, and menopause age.

In a statement posted on the it’s website, The Medical Center at Bowling Green said this about the data:

The information on the hard drive was not encrypted; however, the hard drive was maintained in a locked, non-public, private area.

Of course if the data was encrypted there would have been no need to notify anyone of the hard drive theft.

The take-away is that every medical practice and medical facility has to start looking into and implementing data encryption.

A break-in at a Mall has cost BlueCross BlueShield of Tennessee $7 million and counting. As noted in this Newsweek article:

On Oct. 2, someone stole 57 hard drives from a closet at the health insurance company’s training center in Chattanooga’s Eastgate Town Center mall. The drives contained recordings of more than 1 million customer support calls, totalling 50,000 hours of conversation. There were also 300,000 screen shots, showing what BlueCross representatives had on their computer monitors at the time some of the calls were made.

In most of the calls, subscribers provided their BlueCross ID number, name and date of birth — not enough information for criminals to pull off an identity theft scam. But in some calls, Medicare subscribers provided what’s known as a Health Insurance Claim (HIC) number, which contains the subscriber’s Social Security number. Many of the screen shots also include Social Security numbers, and that information can be used in identity theft.

An attorney from BlueCross said in a letter to the Maryland attorney general that the data on the hard drives were encoded but not encrypted.  Encrypted data would need the passcode or key to decrypt /unencrypt and read the data.

Over the past five months, the company has employed a small army of workers to sort through the aftermath of what has proved to be a large and complex breach. Late last year, BlueCross and forensics company Kroll OnTrack employed 500 full-time workers and 300 part-time employees, working in two shifts, six days a week, to piece together what happened

So for the past five months, BlueCross has been sorting out which of its 3 million customers to notify of the breach. “Unfortunately, after checking with numerous vendors throughout the country, an electronic solution could not be formulated, and a largely manual review of audio and video files has been necessary,” BlueCross said in the letter, dated Dec. 16.

“We made the decision that there is really no substitute for actually manually going through it and looking at the video screens or listening to the audio,” said Roy Vaughn, a BlueCross BlueShield of Tennessee spokesman. “It has to be reviewed.”

The costs keep tallying up:

The process has cost more than US$7 million so far, and it will be several months more before the notification effort is concluded, Vaughn said.

The HITECH Act requires media and regulatory notifications.  In the letter to the Maryland attorney general they mention:

The HITECH Act requires that we provide media notice to any jurisdiction where over 500 members may reside; therefore, we are also notifying all Attorneys General in these states so they may also be aware of our activities and could address questions they may receive from our members who reside in their states

A few points to think about regarding this incident are:

1. This did not occur at the BlueCross headquarters but at a rented location.  So no matter how much they secured their offices and network, a HIPAA security breach still occurred.
2. Data that leaves your headquarters, office or building that is on a laptop, desktop, USB drive, smartphone, etc and that is not encrypted is a liability waiting to happen. 
3. HIPAA and HITECH data breaches can be extremely costly not only from a HIPAA fine perspective but from the manpower and wasted productivity required to react to the data breach.