Computerworld has an excellent article called Healthcare security and HIPAA: Why compliance and security are still lacking. The author does a very good job of trying to figure out why there are so many healthcare related data breaches. Here are some highlights:
The author takes a look at a previous article and cites some reasons:
In her article Why are healthcare data breaches so common?, author Stephanie Tayengco suggests 5 reasons why 91 percent of healthcare organizations reported at least one breach over the last year:
1. Systems are old and complex
2. Health IT is 95 percent manual work
3. Disjointed monitoring
4. “We’re already HIPAA compliant”
5. Health data is valuable
Although the author agrees with Stephanie Tayengco’s reasons he thinks that there are other reasons for weak security especially in the smaller medical practices:
Transition to EMR without considering security
Many smaller practices are adopting electronic medical record (EMR) systems. This is prompted partly by financial incentives available under the HITECH Act, and partly because an EMR system is seen as a pathway to HIPAA compliance. In most cases, practices are selecting “HIPAA compliant software,” thinking that the selection constitutes their compliance and as a result resolves their security issues…
Buy something that says “HIPAA,” and you are covered
… As such, I have observed that a practice will buy something that claims HIPAA compliance, be it a secure email system, an encrypted storage system, etc, and assume that the purchase makes them compliant, and therefore secure. Again, HIPAA applies to the totality of a practice. It cannot be met by the purchase of a single product, no matter what the sales person said.
…What I see in smaller practices is the complete lack of monitoring. These folks generally have no idea how to even open a log file, let alone review it. They often assume that their IT provider is handling it for them, which is usually not the case. Their network may be under attack, and they don’t even know it.
Ignoring paper records
While adoption of EMR by smaller practices has been strong, paper records almost always remain…. Whatever the reason, they often sit in unlocked file cabinets with no controls in place, leaving them open to insider threats.
Lack of basic network protection
In my experience, smaller practices are not much different from small business in general with their adoption of basic security controls like firewalls, strong wireless systems and data encryption…
No training or policies
…In the HIPAA world, we seem to expect staff members to fill their roles in the compliance effort without understanding what they are, or having the necessary basic training or skills to pull it off. We would not think of putting a medical office employee with a patient without the necessary technical training, so why is compliance different?
I am just too small for anyone to mess with
…Those in smaller groups consider themselves invisible as compared to Anthem, Blue Cross, or a large hospital. They miss the fact that they are usually easy to breach, and readily found on the Internet…
Unfortunately, while data breaches involving the big players usually become known reasonably quickly, patient data may be leaking from the smaller practices without anyone ever knowing…
The author then gives some sound advice on how to address and strengthen compliance and security:
- Understand HIPAA requirements, and formulate a compliance plan
- Implement essential security practices on your network
- Training your employees, and give them policies and procedures to follow
- Monitor your systems and logs for evidence of issues
Bottom line – as a small practice, you are not invisible. Rather, you are the front line of the battle. Recognize that you are at war with those who would steal patient data, and begin fighting back.
This is one of the best articles I have seen written on why smaller healthcare organizations have weak security and are not addressing HIPAA requirements.