Compliance Risk Management for Healthcare Providers
Healthcare has a headache, and it’s called regulatory compliance. HIPAA and PCI -- sometimes even SOX – are regulations that protect patient privacy and financial information. IT is primarily responsible for securing data against intrusion and loss, and for reporting breaches when security fails. So how can IT best manage compliance risk so this never happens?
What’s the Risk?
Data compliance is a huge part of compliance risk management. Last year The Ponemon Institute published “2015 Benchmark Study on Privacy & Security of Healthcare Data.” They surveyed both 90 covered entities (healthcare organizations) and their business associates (BAs) about data breaches and their causes.
Over 2 years, 91% of the healthcare providers reported data breaches. 20% of those cases involved data loss of patient payment details. The consequences are severe: even small healthcare organizations like a doctor’s office may pay over $1 million between fines and patient lawsuits. Deep pocket organizations may pay a great deal more. That’s a lot of money and reputation losses, enough to bankrupt some businesses.
Who Oversees Compliance Risk Management?
For healthcare, PCI DSS (Payment Card Industry Data Security Standard) and HIPAA/HITECH rule the roost. Note that PCI DSS and HIPAA are not the same thing in the healthcare industry. They have different regulations, guidelines, and non-compliance consequences; healthcare organizations must toe the line on both.
Although most healthcare data breaches involve credit card information, HIPAA gets into the act when hackers steal patient identities and healthcare data. Medicare and Medicaid fraud is the usual culprit.
Any business that accepts credit cards, including healthcare, is subject to PCI DSS. PCI is not a federal regulation but a private governance standard made up of major credit card companies. Larger healthcare organizations including hospitals, clinic chains, and retail pharmacies are likely to work with a payment processor. These organizations do not store cardholder data on-site. However, other healthcare organizations like doctor’s offices or labs may process credit cards manually and store cardholder data on their own systems.
All classifications must comply with PCI DSS requirements. Smaller organizations should be especially vigilant if they are storing patient credit card information on their own systems. PCI DSS at a minimum requires offices to train their employees, document credit card processing policies, and physically and digitally secure systems storing credit card data.
HIPAA and HITECH
Unlike PCI, HIPAA is federal law. Health and Human Services monitors HIPAA and bases its audits on Office of Civil Rights protocols. HIPAA investigations can result in jail time along with heavy criminal or civil fines.
HITECH is a HIPAA Section that defines security regulations for stored data including data protection, physical data center security, and administering user access and authentication. These regulations apply to healthcare providers, insurers and clearinghouses as well as their business associates, such as cloud storage providers.
The wide-ranging Section covers both patient health information and personal identifiable information like name and Social Security numbers. HITECH particularly encourages IT to encrypt patient data, and relaxes data breach reporting requirements if compromised data is encrypted.
Find out how Zetta's patented technologies keep your data protected in the cloud.
Steps to Manage Data Compliance Risk
Best practices enable IT to successfully comply with both PCI and HIPAA.
Secure Mobile Devices
Remote employees are the first line of defense with their laptops, tablets, and smartphones. Company policies should include strong password requirements and energetic reminders to not lose their devices in busy airports. (Or behind the couch for that matter.)
IT must also protect devices against the risk of data loss. BYOB policies can make this a little tricky on workers’ personal devices, but companies have the right to protect their own data. Data encryption, strong password control, two-factor authentication, remote wiping, and device tracking are all important to protecting mobile devices against data loss and intrusion. Additional technologies include blocking data transmission to unauthorized devices like thumb drives, and updated antivirus programs are a must.
Some companies are experimenting with thin client laptops that store minimal information on their hard drives. Other companies allow regular laptops but only store work data on protected clouds or over VPNs.
Only Use Compliant Cloud Service Providers
Cloud service providers have jumped en masse into HIPAA compliant backup and storage markets. This is a win-win for the providers and for healthcare organizations who are spending millions of dollars on managing their own data storage.
However, let the buyer beware: simply because a cloud provider is HIPAA-compliant does not mean it’s the only safeguard to rely on for your data. HIPAA Business Associates must sign agreements but it is up to their healthcare customer – you – to do due diligence on compliance risk management. Understand what you are getting by storing regulated data in the cloud and be sure to ask your cloud backup provider exactly how they abide by HIPAA regulations.
Strong passwords and authentication
Passwords and authentication don’t just apply to mobile devices. Hackers can and do infiltrate corporate networks as well. In the disastrous Sony incident, hackers discovered hundreds of user passwords simply by trying ridiculously simple ones like “123456.” Strong user passwords and frequent changes may be a burden for the user who has to juggle multiple password-protected devices. Nevertheless, secure passwords go a long way towards protecting data, and products like master password generators can ease user pain.
Authentication is the IT side of the user password coin. Encrypting passwords transmitted from mobile devices is a good policy, and healthcare organizations should consider multi-factor authentication. It may add some complexity, but will be far less trouble than an embarrassing and expensive data breach.
Encrypting healthcare data is a fundamental protection against compliance risk, but many HIPAA-regulated organizations do not regularly encrypt their data. Some of this reluctance is due to aging EMR applications that lack native encryption. Many HIPAA-certified cloud providers offer encryption, but some healthcare providers are reluctant or unable to trust mission-critical EMR database to the cloud. Other organizations are reluctant to encrypt EMR databases because decryption for querying can affect performance and render the data vulnerable.
Nevertheless, any organization can and should encrypt data on employee laptops. In fact, HITECH does not require that healthcare organizations encrypt laptop data but it does reward it. Providers must notify patients of data breaches if the data is unsecured (i.e., unencrypted). As you can imagine, patients do not react well to these reports and the organization’s reputation and finances will suffer. However, organizations don’t have to report lost laptops to HITECH if the laptop data was encrypted.
The difference can run into real money. A hospice employee lost a laptop that contained 441 unencrypted patient records. The hospice settled at $50,000. And this was a bargain: one Massachusetts hospital was fined $1.5 million when a doctor’s unencrypted laptop was stolen. If IT had encrypted data on the laptops, none of this would have happened.
Putting Compliance into Perspective
Compliance risk management is serious stuff but it doesn’t have to be a big burden on IT. Much of it is simply common sense and best practices for protecting data, which is a prime IT responsibility to begin with. You don’t have to go it alone. There are PCI- and HIPAA-compliant providers that can partner with you at every stage of the compliance game, from risk assessment and remediation to monitoring and reporting.
Help is out there, don’t hesitate to find it. Most of all, don’t hesitate to manage compliance. Delay isn’t worth the risk.