What's New in HCQM?

Cybersecurity

Thompson H. Boyd III, MD, CHCQM, CPHIMS, FABQAURP
Medical Director of Informatics/Physician Liaison - Hahnemann University Hospital, Philadelphia

When a patient enters the healthcare system, they expect and trust that their personal data is secure. Several years ago, the JASON Report, was the center of much discussion as it related to interoperability and the sharing of records. Discussions followed that patients have the right to direct who is allowed to view their data; and it was added that patients should never be surprised to find their data in a location site unauthorized by the patient.

Safeguarding Information
A covered entity, which includes providers, health plans, and healthcare clearinghouses, must abide by the HIPAA Security Rule, which was published on February 20, 2003, and focuses on safeguarding electronic protected health information (ePHI). Specifically, covered entities must work to ensure the confidentiality, integrity, and availability (CIA) of ePHI is protected. Covered entities routinely create, receive, store, and transmit PHI; however this information must be safe against unauthorized access, destruction, disclosure, disruption, modification, and use. Covered entities deploy administrative, physical, and technical safeguards to protect PHI. Readily available resources include Security Rule Guidance Material (including the Security Rule Education Series), HIPAA Security Guidance, National Institute of Standards and Technology (NIST) Special Publications, Federal Trade Commission Guidance, and OCR Cyber Awareness Newsletters.

In early September 2017, the NIST and the Office for Civil Rights (OCR, U.S. Department of Health and Human Services) presented the conference "Safeguarding Health Information : Building Assurance through HIPAA Security – 2017". A presentation from OCR summarized that in less than eight years (July 2009 through July 2017), there have been over 2,000 reports of large breaches (affecting over 500 individuals). Theft and loss accounted for 48% of the breaches, and hacking is now related to 17% of breaches. Small breaches (affecting less than 500 individuals) number nearly 300,000; individuals affected in total are over 174,000,000. Enforcement issues centered on improper disclosure of PHI without proper authorization, lack of business associate agreements, insufficient audit controls, lack of implementing safeguards, and issues involving failure of managing identified risk. Examples include an insufficient or inaccurate risk analysis; lack of transmission security, untimely patching of software, issues related to insider threats, improper disposal of protected health information, and insufficient backup and disaster recovery planning.

As more entities find value in moving to the cloud, OCR has opined that certain provisions must remain intact, such as compliance with the HIPAA Security and Privacy Rules, and having a Business Associate Agreement between the covered entity and the cloud service provider (CSP).

It is clear more education and understanding are needed as records are stored and shared more readily.

The Cost of a Security Breach
The Ponemon Institute’s 12th Annual Cost of Data Breach Study stated that the average total cost of a breach was $3.62 million, among the 419 participating companies in 11 countries; however, in the United States, the average total cost of a breach in 2017 was $ 7.35 million. The per capita cost of a breach was $141, among the 419 participating companies; however, the per capita cost of a breach in the healthcare industry was $380. The mean time to identify (MTTI) a breach was 191 days, and the mean time to contain (MTTC) a breach was 66 days. It took more time to both identify and contain a breach caused by a criminal or malicious attack, as opposed to a breach caused by human error. The cost to resolve a breach from a criminal or malicious attack was also higher. Utilizing an incident response team, encryption, and employee training reduced the cost of a breach; whereas, compliance failures and lost devices increased the cost of a breach.

The HIMSS 2017 Cybersecurity Survey found that most healthcare organizations were taking steps to enhance cybersecurity programs. The vast majority (71%) stated a part of their budget was allocated to cybersecurity; 60% of organizations employ a senior security leader, such as a Chief Information Security Officer; and 85% of organizations conduct a risk assessment at least once a year.

The Framework of Security
As ePHI became more prevalent, the need for improved infrastructure also grew. On February 12, 2013, Executive Order 13636: Improving Critical Infrastructure Cybersecurity, led to the development of the NIST Cybersecurity Framework to include “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks”. On January 10, 2017, the Cybersecurity Framework was updated to version 1.1, increasing the detail of framework structure and functions to identify, protect, detect, respond, and recover.

In addition to Executive Order 13636, the Cybersecurity Act (CSA) of 2015 [Division N] became Public Law 114-113 on December 18, 2015, establishing a legal framework that would encourage private industry to voluntarily share cybersecurity information with the federal government to increase efforts to guard against cyberattacks, along with having certain liability protections.

Tools We Can Use
The official health care information sharing and analysis center is the National Health Information Sharing and Analysis Center (NH-ISAC), which offers a community and forum to share physical security and cyber threat information among healthcare stakeholders.

The National Cybersecurity and Communications Integration Center (NCCIC) serves as a central location where a diverse set of partners, i.e., government agencies, private sector, and international entities, analyze cybersecurity and communications information; share timely and actionable information; and coordinate response, mitigation, and recovery efforts. The NCCIC has put forth best practices and mitigation strategies involving: Backups, Risk Analysis, Staff Training, Vulnerability Scanning and Patching, Application Whitelisting, Incident Response, Business Continuity, and Penetration Testing.

The care of our patients involves the establishment and the maintenance of their trust. Most important are the proactive steps that need to be taken by covered entities to ensure that protected health information remains private and secure.

Hear more from Dr. Thompson Boyd about Cybersecurity and protecting your patients. Come join us for an educational and interactive discussion at ABQAURP’s 41^st Annual Health Care Quality and Patient Safety Conference in Lake Buena Vista, FL on April 12-13, 2018. We look forward to seeing you there! Conference details: HERE.