The following is a guest blog post by Justin Campbell, Vice President, Strategy, at Galen Healthcare Solutions.
According to an investigation by ProPublica and German radio and TV network Bayerischer Rundfunk, medical data of more than 5MM U.S. patients and millions more globally can be accessed online by basic web browsers and free software programs. In the US alone, 187 servers were identified as being unprotected by passwords or basic security precautions that long ago became standard for business and government agencies. The Health Insurance Portability and Accountability Act, or HIPAA, the 1996 law that requires health care providers to keep Americans’ health data confidential and secure stipulates that healthcare providers and their business associates are legally accountable for securing the privacy of patient data. And yet, these security issues arose largely due to failures to update outdated operating systems that had known security vulnerabilities.
“What we typically see in the health care industry is that there is Band-Aid upon Band-Aid applied” to legacy computer systems, said Jackie Singh, a cybersecurity researcher and chief executive of the consulting firm Spyglass Security.
HIPAA violations are extremely serious. Federal fines for noncompliance are based on the level of perceived negligence found within the offending organization at the time of the violation. Fines increase with the number of patients and the amount of neglect. The fines and charges are broken down into two major categories: Reasonable Cause and Willful Neglect. Violations for which there is Reasonable Cause can be punished by fines that range from $100 to $50K per incident, without jail time. Willful Neglect liability varies from $10K to $50K for each incident and can result in criminal charges.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has information in its HIPAA Resolution Agreements overview which provides a full list of breaches and fines via the OCR’s Breach Portal. Examples abound. In 2018, HHS OCR concluded an all-time record year in HIPAA enforcement activity, settling ten cases and receiving a summary judgment in a case before an Administrative Law Judge, together totaling $28.7MM from enforcement actions. The largest settlement of the year occurred in December 2018 when Cottage Health agreed to pay $3MM to settle breaches of unsecured electronic protected health information (ePHI) affecting more than 62.5K individuals. The breach occurred due to a security configuration setting of the Windows operating system enabled access to files containing ePHI without requiring user name or password.
HHS slaps provider with $150K bill for HIPAA breach for failure to appropriately safeguard patient data
Outdated, unsupported software led to malware infection
Anchorage Community Mental Health Services paid $150,000 to HHS to settle potential HIPAA violations after the organization failed to patch their systems and continued to run outdated, unsupported software that eventually led to a malware data breach affecting 2,743 individuals
The list demonstrates the punitive risks of running antiquated legacy systems through several high-profile examples. But while penalties for such breaches can be stiff, they are not the only costs that an organization faces. A recent study conducted by the Ponemon Institute on behalf of IBM Security revealed healthcare data breaches cost the sector about $408 per patient record, three times more than any other industry. According to the report, the costs of breaches are high in healthcare, not just due to the obvious network and system damage or data theft, but because of the injury to reputation that leads to strained relationships with other businesses and the sacrifice of customers. And one of the largest costs is the loss of time, when employees are doing damage control after a breach.
Retiring legacy systems by means of data archiving is a sound business decision that will yield a healthy return on investment. Considering only direct costs associated with maintaining legacy systems, a data archiving solution can be up to 10x cheaper. Not to mention the many additional benefits of a healthcare data archiving solution, which retains data to comply with record retention laws, provides ease of access to the data by end users, and simplifies the security process by consolidating records from multiple legacy systems into a single, unified archive.
Effective HIPAA compliance requires a common-sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks. Consolidation of portfolio and retirement of legacy systems can mitigate security and privacy threats by reducing attack surface.
Security and privacy represent a subset of the components of legally compliant and risk-averse legacy system retirement. Successful and risk-minimized healthcare data archiving requires the preservation of not only the organization-defined legal medical record, but also data sets such as contextual audit trails, referenced data in ancillary systems, data change and version history, and even database metadata. Download the full whitepaper, Legal Considerations for Healthcare Data Archiving, which covers the many legal considerations to evaluate when navigating the complex data structure and data sets, legal and compliance requirements, and continuity of care requirements that characterize effective healthcare legacy application retirement.
About Justin Campbell
Justin is Vice President, Strategy, at Galen Healthcare Solutions. He is responsible for market intelligence, segmentation, business and market development and competitive strategy. Justin has been consulting in Health IT for over 12 years, guiding clients in the implementation, integration and optimization of clinical systems. He has been on the front lines of system replacement and data migration, and is passionate about advancing interoperability in healthcare and harnessing analytical insights to realize improvements in patient care. Justin can be found on Twitter at @TJustinCampbell and LinkedIn.
About Galen Healthcare Solutions
Galen Healthcare Solutions is an award-winning, KLAS-ranked healthcare IT technical and professional services and solutions company providing high-skilled, cross-platform expertise and proud sponsor of the Healthcare Data Archiving Series. For over a decade, Galen has partnered with specialty practices, hospitals, health information exchanges, health systems and integrated delivery networks to provide data conversion and archival solutions. Galen has competed over 500 successful data conversion & archiving projects and has experience with over 100 unique systems. Their archiving solution, VitalCenter Online, was recognized by KLAS in their inaugural report, Legacy Data Archiving 2019 A First Look at a Changing Market, for the accuracy and accessibility of its data and for its industry-leading commitment to customer experience. The report showed that “Galen has the highest percentage of customers who report high satisfaction” with a tool that is “exceptionally easy to use” for keeping patient data in context. For more information, visit www.galenhealthcare.com. Connect with us on Twitter, Facebook and Linke