Wednesday, July 6, 2016

HIPAA Ain't That Hard People

 on  with No comments 
In , ,  
All of my career in I.T. has had at least some level of involvement in the medical field.  The majority of my time was spent with a Managed Services Provider (MSP) who had a client base consisting of a significant number of small and medium medical facilities.  We supported a good mixture of medical specialties.  I still do the occasional side project for them, but I've moved on to bigger and better things.  Today, I work as a contractor, supporting a government agency that does some medical.  In other words, I do HIPAA.

In a nutshell, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an act signed by sitting president Bill Clinton to streamline the portability and security of American's medical care, insurance and records. The long title of the Act is "An Act To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes." Quite a mouthful.

You may recall the story of the Hollywood Presbyterian Medical Center that recently found itself forced to pay ransomware authors to return the facilities data.  Before finally agreeing to pay, their systems responsible for CT scans, documentation, lab work, pharmacy and email were all entirely out of commission.  At times the emergency room was also out of commission and patients had to be transferred to other nearby hospitals.  In other words, real life and death stuff.

Hollywood Presbyterian is not alone here.   San Diego based Alvarado Hospital Medical Center and Colombia, Maryland based MedStar Health also were reportedly hit recently.  Cisco Talos has recently reported a new ransomware variant specifically targeting the healthcare industry.  Its bad news for a facility to get hit by something like this and suffer the onslaught of bad press.  But the cost will be even greater should medical data be lost permanently because the backups are inadequate, so there is no choice but to pay up in those cases.  Other medical facilities have been hit by other forms of malware, often times with equally disastrous results.

In the financial field, I have seen first hand that the SEC will fine the guilty parties and shut down the company for playing loose with the laws and regulations.  But with HIPAA violations, there is a serious risk of criminal penalties as well as fines.  Penalties start at up to one year for knowingly and improperly obtaining or disclosing identifiable health information and grows from there.  HIPAA can pierce the veil.

But malware encrypting servers full of patient data is not the only means of losing health data.  EMC and Hartford Hospital paid $900,000 for the loss of an unencrypted laptop in Connecticut.  An LSU Health Sciences owned laptop with medical information on 5,000 minors was stolen from the car of a doctor in New Orleans.   At the time of the theft, the number of patients was known, but which 5,000 patients wasn't known.  And in the U.K, an unencrypted laptop containing sensitive data on over 8 million people and 18 million hospital visits was stolen from a store room at London Health Programmes.

And its not just digital data that is at risk.  If you peruse the U.S. Department of Health and Human Services Office of Civil Rights Breach Portal,  you'll see a sizable list of breaches categorized as either loss, theft or other.  This portal reports breaches involving the data of 500 or more patients.  In addition to a never ending list of portable media, servers, desktop computers and laptops that have been lost or stolen, there is also a large number of breaches of data on paper and/or films.

All in all, the portal contains 1572 breaches as of June 1, 2016, and the data goes back to 2009.  If you care, the data is available to download in Microsoft Excel, Adobe PDF, CSV, and XML formats for anyone who wants it.  After downloading a spreadsheet, I was able to quickly tabulate that there were a total of 158,900,805 individuals affected, minus any unlucky enough to have been affected by more than one breach.  I don't know if there's any hard numbers on people in that case, but its half the country if its a small percentage.

So why the post on HIPAA today?  Because in a case that is sure to get considerably more exposure than Hartford Hospital or Hollywood Presbyterian, the NFL is in the news today for yet another lost laptop chock full of medical data.  The NFLPA just informed it's union members that both paper and electronic records of thousands of players were stolen from a car of a Redskins athletic director.

Thieves reportedly stole a backpack containing the records of every NFL combine attendee since 2004. In other words, nearly every NFL player drafted during that time as well as many college players who went undrafted.  The backpack contained paper records, a laptop that was password protected but unencrypted, and a zip drive.

The union is playing up the fact that the laptop was password protected, but anyone with even a little technical knowledge knows that is not very helpful.  A password on a laptop only protects against an unauthorized user booting into the operating system on the laptop and running the programs installed on it.  It's not that difficult to remove the hard drive from a laptop, install it into another computer and read the data off of it.

So let's review, shall we?   The easiest way to violate HIPAA still appears to be putting patient data on an unencrypted laptop.  There is absolutely no reason for doing this, and there is no excuse.  In 2013, it was reported that 60% of all HIPAA violations involved exactly this.  The loss or theft of a laptop containing patient data that has been properly encrypted does not constitute a breach.  But a laptop that is unencrypted, whether or not it's password protected, certainly does.  And while proof of encryption is not necessarily required by law, it certainly doesn't hurt.

Bottom line, HIPAA isn't really that difficult.  Learn the law, but a little common sense will get you a long way.  Take reasonable measures to protect patient data.  Most breaches still involve the loss or theft of data, so physical security and encryption is the key here.  If your system are encrypted, whether or not you believe sensitive data is ever stored on them, then you probably won't have a problem.  It's not explicitly required, but it has been ruled to eliminate theft or loss being considered a breach.  If you don't leave paperwork, thumbdrives, and laptops unattended, you probably won't have a problem.  You can't encrypt printed documents.  And if you have any question, consult someone who knows.  Theres plenty of them out there, and most are very affordable when compared to the cost of a breach.

And just say no to putting patient data on laptops.  VPN connections are a thing, and they're secure.  Maybe, just maybe, this new disclosure involving the NFL will finally be the medical field's wake up call.  But somehow I doubt it.


Post a Comment

Discuss this post!