Page 1
HIPAA Security: A Decade of Breaches Marion K. Jenkins, PhD, FHIMSS
Chief Strategy Officer
3t Systems
DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.
Page 2
Conflict of Interest
Marion K. Jenkins, PhD, FHIMSS
Has no real or apparent conflicts of interest to report.
© HIMSS 2015
Page 3
Learning Objectives
1. Discuss the HIPAA Security Rule and how it relates to IT
best practices and security policies.
2. Identify the major root causes of the 900+ HIPAA breaches
reported by HHS, and identify how the mandated
remediation efforts are insufficient and ineffective, and how
they fail to correct the underlying issues.
3. Explain how the principles of IT best practices and effective
IT security policy development and compliance are both
necessary and sufficient to satisfy HIPAA Security Rule
compliance, and eliminate the true underlying causes of
HIPAA breaches.
4. Classify the primary HIPAA breach root causes in terms of
internal versus external, user-caused versus outsider-
caused, etc.
Page 4
Learning Objectives: Pre-Quiz
1. Since HHS has been tracking HIPAA breaches since 2009, in the last year the
number of reported breaches has
A. Stayed about the same
B. Decreased significantly (e.g., by more than 25%)
C. Increased significantly (e.g., by more than 25%)
2. The true cause of most HIPAA breaches can best be traced to:
A. New technologies that have been developed since the original HIPAA
Security Rule became effective in 2005, and weren't covered back then.
B. Hackers and other nefarious external threats.
C. Internal employee behaviors, such as snooping.
D. Bad IT design, coupled with bad employee compliance behaviors, where
employees doing "legitimate" work end up defeating or working around
security procedures.
3. True/False: The best way to ensure HIPAA compliance is to make usernames
and passwords longer/more complex, and make users change them more
frequently.
Page 5
The HIMSS Value STEPS of Health IT and this presentation:
• Satisfaction
– Patient Satisfaction: Patient trust and satisfaction is definitely
negatively impacted by the increased number of HIPAA
breaches.
• Treatment
• Electronic Information/Data
– Data Sharing and Reporting: Lack of HIPAA Security
compliance can limit data sharing among different healthcare
entities across boundaries of care.
• Prevention and Patient Education
• Savings
http://www.himss.org/ValueSuite
Page 6
6
https://www.youtube.com/watch?v=5J67xJKpB6c
Video Clip:
If US Airlines worked like the US Healthcare System
Page 7
Outline
• HIPAA Overview – key definitions, brief history
• Examples of HIPAA breaches to date
• The biggest HIPAA threats
• Real life HIPAA breach example
• Cloud – is it HIPAA compliant?
• Questions/discussion
7
Page 8
HIPAA (one “P”, two “A”s)
• HIPAA Stands for:
– Health
– Insurance*
– Portability**
and
– Accountability
– Act
*(not information)
**(not privacy)
8
Page 9
HIPAA Breaches - Some macro numbers
• HHS-reported HIPAA breaches since 2009
– 600 993 1185 breaches of more than 500 records each
– Total is over 22 31 133 million patient records affected
– Largest is 4.9 million records (SAIC – Service Provider)
80 MILLION records (Anthem; payor/healthplan)
– Smallest reported breach (and not on this list) is 441 records (Hospice of
Northern Idaho)
– Largest pending judgments are $3-4 BILLION in class action lawsuits
(Sutter Health, California) and $3-4 BILLION against SAIC (Service
Provider)
All data here and following graphs from:
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
9
Page 10
HIPAA Breaches – Type of Breach
Theft 55%
Unauthorized access
19%
Loss 12%
All other 14%
10
Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Page 11
HIPAA Breaches – Source of Breach
Laptop 25%
Paper 23%
Portable 12%
Computer 11%
Server 10%
All other 19%
11
Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Page 12
HIPAA Breaches – Words (All Fields)
Theft 32%
Laptop 17%
Computer 12%
Portable 8%
Loss 8%
EHR 0.10%
All other 23%
12
Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Page 13
Some Recent HIPAA Headlines
• Walgreens (1 record; ~$1.44 million judgment)
• Community Health Systems (2nd largest; hacking)
• LA Gay/Lesbian Clinic (hacking)
• Stanford Children’s Hospital (5X offender)
• Oregon Health Science Unit (4X offender)
• UCLA; Cedars Sanai (celebrity snooping)
• Hospice of Northern Idaho (441 records; 50K)
• Arizona Surgery Center ($100K fine)
• LabMD in Georgia is DOA (CEO is writing a book)
• Anthem Healthcare (80 million records; hacking)
• Premera (11 million records; hacking)
13
Page 14
Time to dispel a big myth
• “My HIPAA Security situation is taken care of because I use a
certified EHR”
• Number of breaches that have been directly caused by or involved a
certified EHR:
ZERO!
14
Page 15
HIPAA “Chapter and Verse*”
• HIPAA is contained in the Federal Register, CFR Parts 160,
162 & 164:
– Section 164.308 – Administrative
– Section 164.310 – Physical
– Section 164.312 – Technical
– Section 164.314 – Business Associate Arrangements
– Section 164.316 – Policies and Procedures
Documentation
*More than 500 pages !
15
Page 16
HIPAA on a 3x5 Card:
What does the HIPAA Security Rule* Say?
• Covered Entities must protect and secure all electronic
protected health information (ePHI) against:
accidental or intentional causes of: unauthorized
access, theft, loss or destruction, from either internal
or external sources.
* HIPAA Security governs electronic records. HIPAA
Privacy governs paper records
16
Page 17
Accidental Intentional
CAUSES
Internal
Threats External
Threats
HIPAA Security – Graphical Representation
Destruction
Loss Theft
Improper
Access
EPHI
17
Page 18
Definition of ePHI
• “ePHI” is patient health information which is computer based (i.e., created, received, stored, maintained, processed and/or transmitted in, on or through any form of electronic means).
• “Electronic media” includes computers, laptops, memory sticks, USB drives, smartphones, PDAs, servers, data storage systems, backup tapes, disk drives, network systems, email, websites, digital printers/copiers/scanners, etc.
18
Page 19
Things HIPAA doesn’t say…
• Length/complexity/change cycle of passwords
• Timeout or logoff time interval
• Type of encryption (e.g., technically WEP for WiFi is actually
HIPAA compliant)
• Version of OS such as Win 7, Svr 08 or higher (HIPAA
doesn’t name vendor names/products)
• Actually doesn’t mention laptops (or tablets, SmartPhones,
PDAs, etc.), just “workstations”
19
Page 20
Is this the biggest HIPAA threat?
20
Page 21
No, this is the biggest HC threat:
By far, the largest number of threats are caused by, or
enabled by, internal users – office and clinical staff*
*Unless you are a very large organization like Anthem…
21
Page 22
HIPAA – A Brief History
• HIPAA signed by President Clinton in 1996
– Primary purpose was to make HC insurance portable
– Governed paper records
– Massive increase in administrative burden to HC
– Massive efforts on compliance and training
• HIPAA Security became effective in April 2005
– Most people were unaware or chose to ignore it
– They assumed “IT had it taken care of”
– Thought it was something they had already done
22
Page 23
ARRA/HITECH Act 2009
• Part of “Meaningful Use” stimulus – up to $54K/ $63K for physicians, millions of
$$ for hospitals to adopt EHRs (Medicare/Medicaid)
• Max fines increased from $25,000 to $1.5 million
• Fines apply regardless of:
– Whether docs/facilities are seeking MU funds
– Whether docs/facilities qualify for MU funds (e.g., Ambulatory Surgery
Centers, self-pay, etc.)
– Whether the facility has or uses an EHR
23
Page 24
P == Portability
• Old days:
– “Cradle-to-grave” patient/doctor relationship
– Records belonged to the practice/physician
– Patients generally could not even see them
• New world order:
– Fragmented HC delivery (specialists, clinics, etc.)
– Practices are caretakers of a larger patient record
– Patient “activism” – records “belong” to them
– Portability made safekeeping rules necessary
24
Page 25
Close to home… …in Colorado
HIPAA is Very Real
25
Page 26
26
You don’t
want to get
one of these
nasty
grams…
Page 27
27
More bad
news…only 15
days to respond;
threatened
penalties
Page 28
28
Even more bad
news…Freedom of
Information Act
may make this
public
Page 29
Prior to 2/2009:
Up to $100 per violation
$25,000/year cap
After 2/2009:
$100 to $50K per violation
$1.5 MILLION/year cap
Page 31
HIPAA compliance is not optional
• HIPAA compliance is required for practices and hospitals to
achieve Meaningful Use
• Annual risk assessments are required
• HHS is doing unannounced audits
• HIPAA compliance is required with/without EHR and
with/without Meaningful Use
31
Page 32
Is “Cloud” HIPAA compliant?
• Some are; many are not
• Most public cloud services are inherently unsafe and are not HIPAA
compliant (but unfortunately they are used all the time):
– Examples: Gmail; Hotmail; FaceBook; AOL; Twitter; Flickr; iCloud;
basically anything that’s “free”
• Poorly designed/poorly run IT services are bad; moving them to the
cloud doesn’t fix them
• If a cloud provider refuses to sign a BAA or provide SLAs that’s a
showstopper
32
Page 33
Cloud HIPAA Headlines
•“Mobility and Cloud [Are] Keys to Fulfilling Promise of
EMRs” (HealthcareIT News)
• “Cloud solutions allow healthcare organizations to
deliver critical patient data…” (IDG White Paper)
• "Use the Cloud to Reduce HIPAA Risk“ (HealthcareIT
News)
• “Google, Microsoft agree: Cloud is now safe enough to
use” (C|Net; Annual RSA Security Conference)
33
Page 34
Key takeaway points
• HIPAA breaches are increasing dramatically
• No HIPAA breaches have occurred inside an EHR
• A certified EHR doesn’t guarantee compliance
• HIPAA compliance is not optional
• HIPAA breaches are not limited to big facilities
• Most breaches are user-caused/user-enabled
• Proper cloud services are one way to secure ePHI
34
Page 35
Learning Objectives: Pre-Quiz (Answers)
1. Since HHS has been tracking HIPAA breaches since 2009, in the last year the
number of reported breaches has
A. Stayed about the same
B. Decreased significantly (e.g., by more than 25%)
C. Increased significantly (e.g., by more than 25%)
2. The true cause of most HIPAA breaches can best be traced to:
A. New technologies that have been developed since the original HIPAA Security
Rule became effective in 2005, and weren't covered back then.
B. Hackers and other nefarious external threats.
C. Internal employee behaviors, such as snooping.
D. Bad IT design, coupled with bad employee compliance behaviors, where
employees doing "legitimate" work end up defeating or working around security
procedures.
3. True/False: The best way to ensure HIPAA compliance is to make usernames and
passwords longer/more complex, and make users change them more frequently.
Page 36
Review of HIMSS Value STEPS:
• Satisfaction
– Patient Satisfaction: Patient trust and satisfaction is definitely
negatively impacted by the increased number of HIPAA
breaches.
• Treatment
• Electronic Information/Data
– Data Sharing and Reporting: Lack of HIPAA Security
compliance can limit data sharing among different healthcare
entities across boundaries of care.
• Prevention and Patient Education
• Savings
http://www.himss.org/ValueSuite
Page 37
Questions/More Information Marion K. Jenkins
PhD, FHIMSS
Chief Strategy Officer
3t Systems
303.918.8853
[email protected]