When a hospital's patient data is compromised, the results are often costly and always embarrassing for those charged with protecting that information from prying eyes. Take the case of Seattle-based Providence Health and Services, which in July was slapped with one of the largest HIPAA-related fines ever levied by the U.S. Department of Health & Human Services. The system was ordered to pay the $100,000 fine and improve patient information security after a breach that contained individually identifiable health data in 2005 and 2006.
And then there are the high-profile lapses in data security that occurred in Los Angeles. Earlier this month, the Los Angeles Times reported that more than 120 workers at UCLA Medical Center looked at the medical records and other personal information of California First Lady Maria Shriver, actress Farrah Fawcett, and singer Britney Spears without permission over a nearly two-year period.
According to a report on the debacle released by the California Department of Public Health, 127 hospital workers snuck looks at the celebrities' medical records, leading to several firings, suspensions, and warnings. The report also detailed the case of one employee who looked at the records of about 900 patients "without any legitimate reason" and viewed Social Security numbers, health insurance information, and addresses, from April 2003 to May 2007. Like the Providence case, state regulators blamed the hospital for not taking adequate steps to maintain patient confidentiality.
Frances Dare, a director in Cisco System Inc.'s Internet Business Solutions Group healthcare consulting practice, says data security attacks on the healthcare industry increased 85% between January 2007 and January 2008. Not surprisingly, she also says a recent survey sponsored by HIMSS and Cisco found 86% of hospital chief information officers say that assessing and managing their hospital's data security practices remains a top concern. What this means is that even though they are doing a lot to try to protect this information, they are still lying awake at night worrying about what's happening, says Dare.
A bill currently in the Senate seeks to establish some legal guidelines by requiring that patients give their consent each time a healthcare company attempts to access their records. The bill also requires healthcare providers to notify patients of any unauthorized disclosure of their healthcare information. While a bill like this one will help provide hospitals with legal standards to follow, Dare says it is still up to the hospital to ensure it has best practices in place for protecting patient information.
Edward Marx, CIO at Texas Health Resources, the largest hospital system in North Texas, says remaining vigilant is key to keeping a hospital's private data private.
"We see healthcare as a communication and flow of information data that needs to be protected at all times. You can never just sit back and rest on your laurels, because you can be certain the adversary isn't," Marx says. He adds that a hospital has to be willing to invest heavily in technology and work closely with its vendor partners to remain current about the latest threats.
"We test the defenses of our network with a third party that will tax our systems to make sure we have latest and greatest security," he says.
Marx says that CEO Douglas Hawthorne's belief that security is not just an IT problem has helped keep up the system's defenses. "Our CEO has long been an advocate and leader for IT at Texas Health. It has been and remains on his agenda, specifically as it relates to safeguarding patient privacy," Marx says.
Of course, all the outside testing in the world won't do the hospital any good if the threat comes from the inside, like at UCLA Medical Center, where one employee was responsible for many of the data security breaches.
Marx says THR spends a significant amount of time educating employees about what happens when they don't follow good security practices. "It's easy to get lazy because things are working fine, but that's when you are most vulnerable. We've found that you absolutely have to be hyper-vigilant, not just about education, but about staying current as to what the latest threats are," he says.
Offering guidance and helping the industry keep up with the latest security threats is what a fairly new collaboration called Health Information Trust Alliance (HITRUST) says it's all about. According to Dare, the group, comprised of representatives from across the healthcare spectrum, is in the process of creating a common security framework that will include a single set of standards for security governance practices and security control practices, as well as a guide to help organizations reconcile the different aspects of existing security standards. Dare says the HITRUST will publish its first set of work in January 2009.
Although it's a daunting task, keeping private data from the public isn't impossible, but, like Marx says, it takes complete buy-in from the entire health system—from the CEO right on down to the nosiest front-line employee.
Kathryn Mackenzie is technology editor of HealthLeaders magazine. She can be reached at kmackenzie@healthleadersmedia.com.
Note: You can sign up to receive HealthLeaders Media IT, a free weekly e-newsletter that features news, commentary and trends about healthcare technology.