The following is a guest blog post by Erin Gilmer (@GilmerHealthLaw).
Calculated risks are often lauded in innovation. However, with increasing security breaches in the tech industry, it is time to reassess the calculated risks companies take in healthcare.
Time and again, I have advised technology companies and medical practices to invest in security and yet I am often met with resistance, a culture of calculated risk prevails. To these companies and practices, this risk may make sense to them in the short term. Resources are often limited and so they often believe that they needn’t spend the time and money in security. However, the notion that a company or a practice can take this chance is ill advised.
As a recent study conducted by HIMSS (and reviewed by Ann Zieger here) warns, “significant security incidents are projected to continue to grow in number, complexity and impact.” Thus in taking the calculated risk not to invest in security, companies and practices are creating greater risk for in the long run, one that comes with severe consequences.
As we have seen outside of healthcare, even “simple” breaches of user names and passwords as happened to Under Armour’s MyFitnessPal app, become relatively important use cases as examples of the impact a security breach can have. While healthcare companies typically think of this in terms of HIPAA compliance and oversight by the Office for Civil Rights (OCR), the consequences reach far wider. Beyond the fines or even jail time that the OCR can impose, what these current breaches show us is how easy it is for the public to lose trust in an entity. For a technology company, this means losing valuation which could signal a death knell for a startup. For a practice, this may mean losing patients. For any entity, it will likely result in substantial legal fees.
Why take the risk not to invest in security? A company may think they are saving time and money up front and the likelihood of a breach or security incident is low. But in the long run, the risk is too great – no company wants to end up with their name splashed across the headlines, spending more money on legal fees, scrambling to notify those whose information has been breached, and rebuilding lost trust. The short term gain of saving resources is not worth this risk.
The best thing a company or practice can do to get started is to run a detailed risk assessment. This is already required under HIPAA but is not always made a priority. As the HIMSS report also discussed, there is no one standard for risk assessment and often the OCR is flexible knowing entities may be different sizes and have different resource. While encryption standards and network security should remain a high priority with constant monitoring, there are a few standard aspects of risk assessment including:
- Identifying information (in either physical or electronic format) that may be at risk including where it is and whether the entity created, received, and/or is storing it;
- Categorizing the risk of each type of information in terms of high, medium, or low risk and the impact a breach would have on this information;
- Identifying who has access to the information;
- Developing backup systems in case information is lost, unavailable, or stolen; and
- Assessing incidence response plans.
Additionally, it is important to ensure proper training of all staff members on HIPAA policies and procedures including roles and responsibilities, which should be detailed and kept up to date in the office.
This is merely a start and should not be the end of the security measures companies and practices take to ensure they do not become the next use case. When discussing a recent $3.5 million settlement, OCR Director Roger Severino recently emphasized that, “there is no substitute for an enterprise-wide risk analysis for a covered entity.” Further, he stressed that “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”
Though this may seem rudimentary, healthcare companies and medical practices are still not following simple steps to address security and are taking the calculated risk not to – which will likely be at their own peril.
About Erin Gilmer
Erin Gilmer is a health law and policy attorney and patient advocate. She writes about a range of issues on different forums including technology, disability, social justice, law, and social determinants of health. She can be found on twitter @GilmerHealthLaw or on her blog at www.healthasahumanright.wordpress.com.
Hi John and Erin,
It’s human to say it won’t happen to me. It’s a trickle down as we take calculated risks with our health by ignoring or skipping doctor visits (newest excuse, how do I know my data will be safe, I don’t want anyone to know I have IBS). Calculated risks is the fearmongering elephant in the room when the insurance salesman comes to call. It’s more about where those dollars go – GREED factor – as opposed to how to make those dollars work. I run into this all the time when doing risk assessments, I have to listen to the expense of security. Then I do the cost-benefit analysis and work in the fines and jail time possibilities. It’s still too expensive and why should a private practice have issues – I have no celebrity patients. Momma Mia. I told a Dr. that social security numbers shouldn’t be printed – it’s not a mandate, my EMR company won’t change or mask the numbers.
Bottom line is the bottom line. There aren’t enough issues to encourage change because the pain is not globally evident. Welcome to the IT world.