“Lie down with dogs, wake up with fleas,” the saying goes. That adage is taking on new meaning in the healthcare field, where a perfect storm of security incidents and new, tougher data privacy regulations affecting business associates is brewing.
First the data. As the web site Healthcareinfosecurity.com reported on Wednesday, the U.S. Department of Health and Human Services (HHS)’s “Wall of Shame” that lists large-scale data breaches in the healthcare field shows that eight of 15 large breaches in the last month (that is: those affecting more than 500 individuals) stemmed from breaches of business associates. Since HHS started tracking large breach disclosures in 2010, 130 of 588 such events – just over 22 percent – were tied to security lapses at business partners.
Admittedly: many of those are not the result of hacking. Laptops and USB drives go missing. Folders full of hardcopy patient records get misplaced, etc. But some of the largest breaches have been the result of computer compromises at third party business partners that serve the healthcare field. Most notably, the March 2012 breach at the Utah Department of Technology, a service provider to the Utah Department of Health. That incident involved 780,000 records, Healthcareinfosecurity noted.
Healthcare organizations are also exposed to the kinds of rank and file, financially motivated crimes more common in sectors like retail and banking. As was reported this week, figures from the 2013 Verizon Data Breach Investigations Report (DBIR) show that health care organizations are frequently victims of attacks on point of sale terminals used to process copayment and credit card transactions.
"Health care breaches act a lot like retail breaches in as much as that it's the organized crime groups going after the payment chain…credit cards and the Social Security numbers they can turn into money," DBIR author Suzanne Widup told eWEEK.
Those facts may not be surprising. But coming changes to the U.S. law governing the privacy of healthcare data, The Health Insurance Privacy and Portability Act of 1996 (or HIPAA), makes the security of software and hardware vendors serving the healthcare sector a big – and possibly expensive – problem.
Beginning on September 23, 2013, a new codicil of HIPAA dubbed the Omnibus Final Rule will go into effect. That rule change comprises modifications to HIPAA’s existing data privacy, data security and breach notification rules. Specifically, it requires that business associates and other subcontractors that serve so-called “covered entities” under HIPAA also comply with the law. This is a huge change, and one that will send ripples throughout the software industry.
Why? Let’s say hackers find a way to compromise an on-premises or hosted software system or, say, a point-of-sale terminal used in a medical office. And, by way of that, are able to steal sensitive patient health- or personally identifiable information. Previously, the Department of Health and Human Services only considered the “covered entity” – the hospital or medical office – directly liable for that breach. Business associates were only indirectly liable.
Starting in September, that changes. The Omnibus rule extends liability for failure to comply with HIPAA Privacy and Security Rules directly to business associates, and also exposes them for the first time to hefty sanctions for HIPAA violations. The rule also requires business associates to ensure that their subcontractors comply with applicable privacy and security duties. As a result, the direct liability business associates will bear under HIPAA will flow down contractually to third parties fulfilling their business associate functions.
That change may have a big impact on security throughout the (extensive) healthcare technology feeding chain. HHS wrote in its rule that the agency assumes “that business associates in compliance with their contracts would have already designated personnel to be responsible for formulating the organization’s privacy and security policies, performed a risk analysis, and invested in hardware and software to prevent and monitor for internal and external breaches of protected health information.”
The security challenges facing the healthcare industry are many and varied. IT directors at medical centers need to find a way to secure everything from iPads used by physicians and nursing staff, to servers storing patient records, to drug infusion pumps. As has been reported, many of those devices are insecure, or susceptible to compromise and malicious code infection. Will the Omnibus rule end up improving the security of software and hardware used in the (massive) healthcare industry? Maybe – and maybe not. But one thing is clear: by expanding accountability for data security, and increasing the cost of making mistakes, HIPAA Omnibus will tilt the scales in favor of better and more secure technology in the doctor’s office.