Schwartz On Security: Your Medical Records At Risk

As people's private medical records increasingly get stored in electronic format, a question looms: Will our records be stored securely, so that they can't be easily stolen or publicly released en masse?

The Health Insurance Portability and Accountability Act (HIPAA), passed 15 years ago, was created to ensure that the healthcare industry kept patient data secure. Interestingly, however, since the passage of the HITECH Act in 2009, which was supposed to strengthen HIPAA enforcement, there's only been a single HIPAA fine over poor healthcare data security practices.

Perhaps the healthcare industry is doing a great job of keeping our patient data secure, and funding for HITECH enforcement should be cut, as some members of Congress have proposed.

Except that the healthcare industry doesn't appear to be properly protecting patient data. According to a survey conducted by certificate authority GlobalSign and released last week, in the past two years, one-third of surveyed healthcare organizations said they'd experienced a data breach involving patient records.

Furthermore, two new audits of the government agencies charged with setting and enforcing healthcare data security standards found that hospitals, healthcare organizations, and state agencies are failing to properly protect people's personal health information. In the audits, the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) criticized both the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) for failing to properly enforce HIPAA. It also found that data is being put at risk, and even stolen without hospitals' knowledge.

What's the problem? For starters, there's strong evidence of bystander effect--numerous agencies are involved, but none seem to be in charge. That's in spite of the government pouring billions of dollars into converting the healthcare industry to electronic patient records. Arguably, there's never been a better time for the government to demand stringent data security standards in return for a piece of the pie.

Current hospital data security practices appear to be woefully inadequate. Indeed, OIG auditors also investigated electronic protected health information (ePHI) practices at seven hospitals across the nation. They found "151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact," according to the OIG's report. Threats included ineffective wireless encryption, rogue access points, missing firewalls, laptops storing unencrypted ePHI, outdated antivirus signatures, failing to apply critical operating system patches, and unlocked data centers.

"These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk," according to the report. "Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge."

Who's to blame? Auditors slammed the Centers for Medicare and Medicaid Services--and its Office for Civil Rights (OCR)--for failing to proactively assess any hospitals' compliance with HIPAA. "Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absence of complaints, it provided no evidence that it had actually done so," according to the report.

If that sounds familiar, it's because government auditors found that the Centers for Medicare and Medicaid Services were similarly failing to enforce HIPAA security rules back in 2008. At the time, CMS leadership argued that "its complaint-driven enforcement process has furthered the goal of voluntary compliance," according to the 2008 audit. But given the number of data security vulnerabilities found in the seven recently audited hospitals, the voluntary compliance regime appears to be failing. Furthermore, if not even hospitals know when patient data is being stolen, who's going to complain?

Likewise, HHS last week proposed changes to the HIPAA privacy rule to let people review who's accessed their data, as well as who their data has been shared with. But if that data isn't secure, who thinks those access records will be 100% accurate?

Cue a now-common refrain: Something must be done to correct the current state of health information data security. Where can we start? "Fixing the serious data security problems afflicting the health care system will require coordinated and focused action among several government agencies, particularly ONC, OCR, and [CMS]," said Harley Geiger, policy counsel at the Center for Democracy & Technology (CDT), in a blog post.

But don't expect HIPAA to get teeth anytime soon. "The [OIG] reports acknowledge that responsibility for health data security is vested in a number of agencies, and the reports recommend that ONC coordinate its work with CMS and OCR where applicable," said Geiger. "Unfortunately, these points are buried and not given weight proportionate to the scale of the problem. The failure to have a comprehensive, coordinated strategy is at the root of the issues raised in the report."

Recommended Reading:

In the new, all-digital InformationWeek Healthcare: iPads are leading a new wave of devices into the exam room. Are security, tech support, and infection control up to the task? Download it now. (Free registration required.)