The Privacy Pinch
Health care providers are under pressure to share data electronically. At the same time, liability exposures from patient data breaches are on the rise, leaving the industry in a tricky position.
Federal law is prodding doctors, hospitals and other health care providers to digitize and share patient records. Stiff penalties await them if they fail to keep the data safe.
The competing demands — to open up yet lock down patient records — illustrate one of the chief cyber risks in health care. A spike in reported data breaches indicates the industry still has work to do. Roughly 6.4 million records were exposed in 2012, up from 500,000 in 2011, according to NetDiligence, a cyber security company that based its findings on claims data.
As providers increasingly rely on wireless and networked devices, they are creating more windows that hackers could smash open, according to insurance executives and privacy experts. The new technology also fuels the risk of disruptions in care, the main business of hospitals and other providers.
Look around a hospital, said Bob Parisi, national practice leader for Network and Privacy Risk at brokerage firm Marsh. “All you see are these incredibly complex and sophisticated machines. All of that data, while it may not be connected to the Web, it’s all basically software- and computer-controlled,” he said. “While the advancements are wonderful, and in many cases truly miraculous, there is a technological dependence or vulnerability that creeps in.”
Such vulnerability presents a security burden complicated by the push to have providers exchange patient data more easily.
Under the Health Information Technology for Economic and Clinical Health Act, or HITECH, providers are earning millions of dollars in reimbursement from Medicare and Medicaid by digitizing medical records and becoming “meaningful users” of the data. That includes sharing records electronically. In 2012, 58 percent of U.S. hospitals exchanged data with other providers, according to the U.S. Department of Health and Human Services (HHS), which said that exchanges have been growing.
At the same time, providers face increased scrutiny from regulators hunting for violations of privacy laws, including the Health Insurance Portability and Accountability Act, or HIPAA. HITECH also contains provisions protecting privacy.
Evidence of aggressive enforcement is seen in the so-called “Wall of Shame,” an online list of privacy breaches maintained by HHS. As of mid-August, the list described 646 breaches, each affecting health information of at least 500 individuals. The incidents range from thefts of laptops to hackers drilling into hospital servers.
In addition to suffering reputational damage from breaches, health care providers face considerable costs and possible class-action lawsuits, according to brokers, insurance executives and legal experts. They have to notify affected patients, hire forensics experts to determine causes and contract with other specialists, such as attorneys and public relations experts, to limit the fallout. Data breaches could be costing health care as a whole around $7 billion per year, according to a study by the Michigan-based Ponemon Institute, which researches information privacy.
Costs may pile up whether or not privacy was actually compromised, according to Kimberly Holmes, deputy worldwide product manager for Health Care at Chubb Group of Insurance Cos.
Under HITECH rules finalized in January, the government may assume every questionable event is a reportable privacy breach, unless a provider can prove otherwise, Holmes said.
IT vendors are touting applications that promise, for example, to confirm that confidential data was not accessed after a laptop was stolen. But, Holmes said, “It’s yet to be seen whether the government is really going to accept those sorts of arguments.”
Providers may err on the side of caution and notify patients no matter what, she said.
Devices at Risk
As providers grapple with privacy rules for electronic medical records, they also have to protect networked and wireless devices, such as pacemakers and insulin pumps, not to mention the many monitors surrounding patient beds.
If malware gets in through any of them, it could impair network performance, corrupt data and hamper remote access, said Melodi Gates, an attorney in the Public Policy group at law firm Patton Boggs.
“And, of course, in the health care delivery market, that means life and death,” said Gates, formerly chief information security officer at Qwest Communications.
So-called “white hat hackers,” who flush out cyber weaknesses in order to warn organizations, have claimed to identify weaknesses in wireless medical devices. There is no confirmed case of a hacked device harming a patient, but an episode of the TV show “Homeland” depicted terrorists breaking into a pacemaker to assassinate the vice president.
“That’s the good news, that this is maybe a threat that we can still address before something like that does happen,” said Jared Rhoads, a senior research specialist with the Boston-based Global Institute for Emerging Healthcare Practices, a part of consulting firm CSC. “But I think all the proof of concept has been done, though, to show that these things could happen, and we need to address it before it does.”
To ensure device manufacturers address cyber security, the U.S. Food and Drug Administration unveiled draft guidance this summer. The guidance focuses on devices as they are being certified. There is less clarity on policies for upgrading security software on devices already in service, Rhoads and others said. As a result, providers may hesitate to apply security updates or make other software changes.
“You hear they are certified for one configuration and one only, so that tends to be the concern: ‘We don’t want to ruin the certification,’ ” said Ilene Yarnoff, a principal focused on cyber security in health care for consulting firm Booz Allen Hamilton.
At the very least, however, hospitals must ensure devices don’t open back doors to their computer networks, Yarnoff said. If the IT staff doesn’t properly locate and track devices, they may be exposed to the Internet.
“Some of the devices, not all of them, have personal health information stored on them, so that becomes an issue as well,” Yarnoff said.
The potential for greater harm exists, but the economic incentives favor straightforward theft. Medical records often contain Social Security numbers, payment information and other personal data that can be used to commit identity theft, insurance fraud and other crimes.
“The No. 1 risk for me in health care still remains privacy and the security of people’s data,” said Ben Beeson, who heads the Global Technology and Privacy practice for brokerage firm Lockton. “I don’t think that’s going to change any time soon.”
Outside hackers are not the only threat. Employees, acting deliberately or negligently, are a common cause of data breaches, said John Mullen, a partner in the Privacy and Data Security group of law firm Nelson Levine de Luca & Hamilton.
The risk increases as more people view records, he said. “If five people have access to your data and you’re told it’s secure, you feel secure. If 500,000 people have access to it, how good do you feel?”
Rogue employees can’t necessarily be prevented from doing harm, he said. But hospitals can establish policies and procedures that raise warning flags if suspicious activity takes place on their networks.
Accidental leaks are more common, and can be reduced by greater education and other steps, such as sending people undercover to test data security and penalizing people who are caught violating the rules.
“People then start to take it really seriously,” Mullen said.
Vendors that handle sensitive data are another source of breaches, and claims in that area are rising, said Catherine Mulligan, national underwriting manager for Specialty Errors and Omissions at Zurich North America.
Under HITECH, vendors can be held directly liable for the privacy of health information, Mulligan said, adding that she recently saw a submission for cyber insurance from a refuse company doing business with a hospital.
Still, health care providers are ultimately responsible for their data, Mulligan said. “We speak at length with health care customers around how do you vet your business partners and their policies and procedures to make sure they are up to the same level as yours,” she said.
When breaches do take place, cyber insurance policies have been responsive, said William Um, an attorney in the Los Angeles office of Hunton & Williams. He represents policyholders in insurance recoveries for data breach and privacy issues.
That’s not surprising in a relatively new market, where insurers are still trying to win over new business, he said. In a few years, however, claims could become more contentious.
As more and more claims are made, carriers might start pushing back, he said. Litigation will ensue as parties debate the scope of cyber coverage, Um said. “I’m still waiting for the other shoe to drop.”