The trusted source for
healthcare information and
One of the most common mistakes is to perceive HIPAA compliance as solely or predominately a technology problem, says Michael R. Overly, JD, partner and privacy and data security lawyer at the law firm of Foley & Lardner in Los Angeles. He has heard administrators and other healthcare professionals say that their organization is HIPAA-compliant because the IT department has everything locked down with all the right software, encryption, and other technological solutions, as if that is enough.
“That is a problem, because if you look at the statistics in just the last year, two-thirds arose not from a technology failure, but rather human error,” Overly says. “It is very hard to get people to start thinking about how HIPAA compliance is their responsibility and doesn’t fall entirely on the technology side.”
While some investment in technology is necessary, Overly cautions against the easy assumption that spending a lot on a software solution makes you compliant. That same $100,000 might have a bigger effect if it is spent on employee education, he says.
The goal should be to make information security a personal issue for individuals in healthcare, Overly says, but he admits that can be a hard sell. One way to get the message across is to show how understanding HIPAA security can help them in their personal lives, he suggests. He used this approach at a grand rounds presentation at a hospital, finding the audience much more receptive than they usually are to lectures on HIPAA compliance.
“You want to show them that if they grasp the key elements of HIPAA compliance, they can also benefit from that knowledge to protect their family photographs stored in the cloud, their tax records stored on their home computers, and their email accounts when they are under attack,” Overly says. “When you explain to physicians that they might go home that night and find all their years of family photographs gone forever, you get them leaning forward. Then they will listen to how the same techniques that they can use to secure their data at home can also be effective in complying with HIPAA at work.”
Another misconception is that HIPAA is all about confidentiality and security, Overly says. The component often overlooked is integrity — the validity and accuracy of the protected data, he says. This is where hackers are starting to focus more attention, potentially with ransomware attacks.
“We’ve seen ransomware attacks in which hackers take away our access to data and make you pay to get it back, but I worry that we’re going to start seeing attacks on integrity of data, which could be devastating in healthcare,” Overly says. “It’s one thing if the hacker just has your data, and it’s something else if that hacker says your data is going to be destroyed or hopelessly compromised. With people’s healthcare information, that can have very serious consequences.”
Overly also cautions that the backup tapes providers depend on to preserve PHI also could be exploited by hackers. People often assume that they have little to worry about if their data is backed up, but Overly says it is crucial to assure that those backups are not infected with malware or have security vulnerabilities.
“If you’re subject to an attack, the first inclination is to just restore your data from a backup tape. What people don’t realize is that hackers know that and sometimes will use malware that makes its way to your backups and then sits dormant for months until you try to use that tape,” he says. “You would think that by now healthcare providers would be aware of that, but we’re seeing that is not the case.”
Few healthcare providers also have a plan for stopping a malware attack from multiplying, Overly says. If one clerk in accounting accidentally clicks an email link and infects that department’s computer system, there should be an immediate response once that is detected, he says. An immediate and wide-reaching alert to every other department and all staff should notify them about that particular email or threat so they can avoid more infections, he says.
“An infection in the accounting department doesn’t have to spread and affect every other part of the system. People assume that once it’s in one time, that malware is spreading through the whole organization and that’s not necessarily so,” Overly says. “But if different departments are attacked, you can have multiple points of access for the malware and that makes the attack much more serious.”
Another misconception is that HIPAA requires encryption of ePHI, says Peter Tippett, MD, PhD, chairman of DataMotion, a company in Florham Park, NJ, that provides security and compliance assistance to healthcare facilities. Although encryption is well-advised for any ePHI in transit or stored on mobile devices, it is not actually required by HIPAA, he says.
You could theoretically say you’ve performed a risk assessment and determined that the encryption is unnecessary, Tippett says.
“Encryption is all about making the data useless after a theft, so for your big mainframe computers, for instance, you might say that you have all kinds of extensive security with cameras, and cages, and locks, and so forth that makes the threat of theft very low with that hardware,” Tippett says. “So, it would be reasonable in that instance to say you’re not going to encrypt that stored data. I’ve seen that work a number of times, but it’s not something most organizations would imagine doing.”
Organizations also can emphasize technological security so much that the low-tech ways to violate HIPAA are overlooked, says Dennis Deruelle, MD, FHM, national medical director for acute services with IPC Healthcare/TeamHealth, a company providing healthcare professional staff and integrated care providers in Tampa, FL.
“We teach people about the risk from texting, hackers, and lost laptops, but you also have the low-tech breach where someone walks into a room and starts talking about something sensitive with the family or others present,” he says. “That even happened to my wife. Her surgeon walked into the room and said, ‘You have a little nodule on your lung,’ in front of eight people.”