Ali Pabrai said it best at last week's fifth national HIPAA Summit West at the Grand Hyatt in San Francisco. Pabrai, a data security expert, noted that 97% of chief information officers are concerned about data security.
"My question is, 'Who are these other three percent?'" Pabrai asked the hundreds of laughing attendees.
Pabrai, MSEE, CISSP (ISSMP, ISSAP), of ecfirst's HIPAA Academy in Newport Beach, CA, delivered a message that resonates with HIPAA privacy and security officers: Everyone, especially those charged with protecting the privacy of patient information, needs to be concerned about data security.
- 1 in 4: Organizations reporting a data breach (source: Pabrai)
- 250,000 to 500,000: Medical identity thefts (source: Pabrai)
- 330: Organizations reporting a breach of unsecured protected health information affecting 500 or more individuals since September 2009 (source: Office for Civil Rights, or OCR)
- 34,000: Number of reports of breaches submitted to OCR affecting fewer than 500 individuals (source: OCR)
From how and from where the 500-or-more breaches are coming:
How:
- Theft: 50%
- Unauthorized access disclosure: 20%
- Loss: 16%
- Hacking/IT: 7%
- Paper records: 24%
- Laptop: 23%
- Desktop computer: 17%
- Portable electronic device: 16%
- Network server: 10%
In August, McAfee reported that hackers broke into the United Nations data system and hid there for two years unnoticed, Pabrai said.
"How do we know that someone isn't hiding in our systems, and how long have they been there?" Pabrai asked the audience. "Do we have appropriate controls? What is the state of our information security?" Do you have intrusion protection and intrusion prevention in place?
"This is not just a compliance issue," Pabrai said. "This will have significant risk to the organization and will impact your facility in the seven figures."
So what are the struggles today for privacy and security officers?
In some cases, many in these roles are performing too many tasks. For example, the privacy officer is also the health information management director, the security officer is also the compliance officer, or the compliance officer handles privacy complaints.
These multiple roles, if possible, should be avoided, said Phyllis A. Patrick, MBA, FACHE, CHC, president, Phyllis A. Patrick & Associates, LLC, Purchase, N.Y.
In many organizations, the compliance officers have been given the role of privacy officer, but Patrick maintains that they're different roles with different regulations.
"I don't advocate that the compliance officer also be the privacy officer," Patrick told the audience, though she does recognize many smaller facilities must do so.
What suffers when privacy and security officers are doing too many things? Policies and procedures that don't get updated or delivered and staff members who are not properly educated on them.
In some cases, such as the case of the Pittsburgh Pirates and social media, they were never written.
Angel Hoffman, RN, MSN, corporate quality/compliance officer, Kane Regional Medical Centers and principal, Advanced Partners in Health Care Compliance in Pittsburgh, told the audience about Major League Baseball's Pittsburgh Pirates, which fired an employee for inappropriate Facebook posts about the organization.
But since the Pirates did not have a policy for social media use, it had to rehire the employee.
Hoffman said organizations must have a sanctions policy for enforcement.
Remind employees that when something's written, it never goes away, Hoffman said. Organizations cannot ban social media use among its employees, but they must have a policy for it and educate employees on the consequences of inappropriate posts.
"Make those real," Michael Leoz, OCR deputy regional manager in San Francisco, said, referring to HIPAA privacy and security policies and procedures. "Don't just have them sit on the shelf."
Recalling a case involving a laptop left in a Boston subway car by a Massachusetts General Hospital employee, Leoz said OCR found the policies and procedures that were in place were not adequate for HIPAA privacy and security compliance. That led to a $1 million settlement and a corrective action plan.
And what good are a policy and an education plan if senior management and board members aren't on board?
One HIPAA privacy officer at the Summit said he does not have that problem. He told a story dispelling an accepted belief that hospital boards are not engaged in HIPAA compliance issues.
When the officer rolled out some online learning to his staff at his large healthcare system, he got his first notification of a completed quiz 20 minutes later.
From whom? The chairman of the board of the directors for the hospital system. That's the same chairman with whom the privacy officer meets monthly.
That's a good thing because OCR – or least its contractor, KPMG, LLP -- could come knocking starting this Fall and into next year thanks to a $9.2 million auditing plan stemming from the HITECH Act.
Leoz of OCR said the audits will review covered entities' approach to HIPAA compliance. He said the audits would lead to more preventative measures entities can take rather than creating a reactive culture. Leoz added there would be an increased potential for learning among covered entities because of these audits.
About 20 to 25 covered entities will be part of a testing phase. "We're going to try to look at different types of covered entities," he said. OCR's contractor will look for what programs different kinds of covered entities have in place.
"We will give an advance notice of the audit," Leoz said. "There will be a comprehensive data request and some on-site visits from OCR contractors who will interview covered entities' staffs."
2012 – and down the road
As for your organization's HIPAA 2012 and beyond compliance efforts?
The important information security ventures for an organization in 2012 will be encryption, encryption and encryption, Pabrai said.
William R. Braithwaite, MD, PhD, and chief medical officer at Anakam, Inc., said at the Summit that the healthcare industry needs to have strong authentication. And for patients who want remote access to their records it needs to be multi-factor authentication. Braithwaite is known as "Doctor HIPAA."
For instance, have patients enter a username/password, then send an alert from that log-in that goes to a cell phone to give the patient another code for access.
And as for tracking who's looking at what, that can't be a generic effort, Pabrai says.
"There are too many generic accounts across the industry where you cannot trace an action back to an individual," Pabrai said. "The user has to be able to trace things back to individuals, and you just cannot do that with generic accounts."
And don't forget social media, Pabrai said, because hospital employees can transmit information across a 3G or a 4G network and not through an organization's firewall system.
"You may take a photograph now, and you're transmitting that information about patients across a network structure that even the best organizations with the best security controls cannot" protect.
Social media, Pabrai said, is an "area of significant challenge."
Hopefully it is for those three percent Pabrai mentioned as well.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.