HIPAA enforcement
Small breaches could become a big problem
In a year of high-profile, multimillion dollar settlements for large HIPAA breaches, OCR raised the stakes in a big way?by taking a harder line on small breaches. OCR announced plans to crack down on smaller breaches?those affecting fewer than 500 individuals?in August. Although all breaches must be reported to OCR, generally only breaches affecting 500 or more individuals are regularly investigated, while small breaches are investigated only as resources permit. OCR instructed its regional offices to increase investigations of small breaches to discover the root causes. Identifying common root causes will help the agency better measure HIPAA compliance throughout the industry and address industrywide compliance gaps, OCR said. Regional offices may obtain corrective action if an investigation of a smaller breach reveals noncompliance.
Regional offices were instructed to take several factors into consideration when investigating smaller breaches and determining potential corrective action. These are:
- The size of the breach
- Whether a single entity reports multiple small breaches with a similar root cause
- Whether the breach involves theft or improper disposal of PHI or hacking
A closer look
OCR has come under fire for its handling of small breaches. In late 2015, a joint Pro Publica/NPR investigation analyzed federal data on HIPAA complaints and requested documents from OCR, including letters sent to entities that were the subject of HIPAA complaints (www.propublica.org/article/few-consequences-for-health-privacy-law-repeat-offenders). The investigation identified the top serial HIPAA violators, including the Department of Veterans Affairs and CVS. OCR generally responded to these complaints by sending letters reminding the entity of its obligation to protect patient privacy and follow HIPAA, and warned that if OCR received another complaint it may take more serious action. However, OCR rarely took any further or more serious action.
One reason could be that many of these breaches affect fewer than 500 individuals. Both large and small breaches must be reported through OCR’s web portal (www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html) but there are different deadlines for reporting each and, previously, they were not equally prioritized by OCR.
But that asymmetric enforcement policy left many frustrated and means that OCR may be missing data vital to creating an overall picture of HIPAA compliance and effectiveness. An NPR report released in conjunction with Pro Publica’s investigation revealed the lasting and personal harm done by small breaches (www.npr.org/sections/health-shots/2015/12/10/459091273/small-violations-of-medical-privacy-can-hurt-patients-and-corrode-trust).
Massive breaches caused by hackers will put patients at risk for medical and financial identity theft, but, considering the amount of personal data stored by entities across all industries and the sheer number of data breaches, it’s difficult to tie a specific breach to identity theft (see the July and August issues of BOH for more information on breaches and medical identity theft). Small breaches, however, often expose PHI to people in the community the patient lives and works in, leaving the patient at risk for far more personal harm.
But OCR hasn’t ignored all small breaches. In July, the agency reached a $ 650,000 HIPAA settlement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a business associate (BA), for a 2014 breach affecting 412 individuals after an unencrypted mobile device was stolen (www.medicarecompliancewatch.com/news-analysis/business-associate-agrees-650000-hipaa-fine).
The agency’s strong action may have been spurred by CHCS’ long-standing organizationwide HIPAA noncompliance. CHCS hadn’t conducted a risk analysis since September 23, 2013, the compliance date of the Security Rule for BAs, and therefore had no risk management plan. CHCS also lacked any policies regarding the removal of mobile devices from its facility. OCR suggested that, due to CHCS’ widespread neglect of basic security measures, the fine could have been even higher and only a consideration of the role CHCS plays in delivering care to at-risk populations, including the elderly, disabled individuals, and individuals living with HIV/AIDS, tempered its decision.
Getting perspective
Implementing OCR’s directive may be a tall order for resource-strapped regional offices and it’s difficult to predict what the outcome will be, Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts, says.
"I’m not sure it’s actually going to make a huge difference, but I think, from the beginning, those of us who were watching HIPAA enforcement were concerned that, while HHS had good intentions, they just didn’t have the resources," she says.
That’s not surprising: HHS is a huge department with many major priorities, including CMS. But, given that HHS and OCR work with limited resources, the new focus on small breaches could be a significant sign of things to come, Borten says. The agency likely recognizes that small breaches are a huge unknown: There’s no "Wall of Shame" for small breaches and little in the way of accountable reporting.
"I just have the sense that there’s an enormous volume of under 500 breaches that get reported that we don’t hear much about," she says. "So I think it’s very important that they take this step."
Some organizations may have been inclined to brush off small breaches: 499 patients is still shy of the 500 mark, she points out, and an organization could easily add it to the end of the year small breach report and forget about it. Those organizations are the ones that will be in for the biggest wake-up call. "Hopefully they’ll hear this and they’ll think again," she says.
Large breaches often grab the headlines, and with good reason. But massive incidents like the Anthem breach may not provide the most useful data for either OCR or other covered entities (CE) and BAs. Massive breaches are statistically unlikely, according to a June 2015 report by researchers at the University of New Mexico and the Lawrence Berkeley National Laboratory (www.econinfosec.org/archive/weis2015/papers/WEIS_2015_edwards.pdf).
"Certainly, you could get hit by one of those big ones," Borten says. "But it’s much more likely, far more likely, you’re going to suffer smaller breaches."
Big breaches come with the risk of big settlements. OCR makes a point of publicizing HIPAA breach settlements and putting the dollar signs front and center. This year alone the agency has levied millions of dollars in HIPAA settlements fines for large breaches. But even as HIPAA breach settlement fines are getting bigger, the numbers don’t stack up against the amount of breaches that are reported each year. Many more organizations get away with little more than a strongly worded letter from OCR. A multimillion dollar fine may be significant for most organizations, but the odds are currently in their favor, Rick Kam, CIPP/US, president and co-founder of ID Experts, says.
"The likelihood that an organization will get fined is so low," he says. "They only catch the big ones, but there are millions of others that are losing data everywhere because nobody’s looking at them."
Too often, organizations assume that if the volume of patients affected by a breach is low, the impact is also low, Borten says, and that’s simply not true. Even a breach involving a single individual’s record can have serious consequences.
As physician practices and local hospitals are absorbed into large corporate health systems, executive perspective on small breaches can become even more skewed, Borten cautions. Executive officers overseeing multiple hospitals, clinics, and physician practices may be more interested in overall numbers and the big picture. A clinical summary handed to the wrong patient at a physician office across the state may simply not register and the impact on the patient will be invisible.
But it’s the duty of privacy and security officers to avoid making that same mistake, she says. "They should be wiser than to fall into that thinking. It falls to them to take a case to the senior leadership or the board of directors and make them recognize that it isn’t just the big breaches," she says. "We worry about the little ones, too."
Privacy and security officers should help provide C-suite the perspective to recognize small breaches and give them the proper weight. A small breach can be just as serious as a large one, Borten says. If an employee posts a patient’s PHI on a social media site, for example, the organization could find itself fighting a lawsuit; even if the case is dismissed, direct legal expenses and time and resources spent preparing documents add up fast. And, as the NPR report showed, it’s not only the patient’s reputation in the community that may suffer; an organization can easily earn a reputation as careless and unconcerned with its patients’ well-being after a small breach.
Small breaches, little data
Because small breaches aren’t investigated to the same standards as large breaches, it’s difficult to measure just how HIPAA-compliant most organizations are and what the real HIPAA pain points are. Another problem is the underreporting of small breaches, Borten says. In 2013 when the HIPAA omnibus rule was released, HHS strengthened the language describing what constitutes a reportable breach. However, HHS also commented at the time that it was concerned there was a significant amount of underreporting. Borten says her experience working with CEs and BAs proves HHS was right to be concerned.
"I think there’s a tendency for underreporting to be more common when there are just one or two patients involved," she says.
In the early days of HIPAA breach notification, some may have been under the impression that CEs and BAs were not required to report breaches affecting fewer than 500 individuals at all, she adds. But that’s never been the case. Although large and small breaches are reported to OCR according to different systems and time frames, organizations are required to treat any breach the same regarding notification to patients.
Adding up
Small breaches are likely more typical than large ones, Kam says. Since 2009, roughly 230,000 breaches have been reported to OCR. But only approximately 1,000 have been breaches affecting over 500 individuals and subject to the more stringent investigation procedure. Investigating all HIPAA breaches would be a daunting task for any agency, but by almost exclusively looking at large breaches, OCR left the door open for repeat HIPAA offenders. Small breaches are reported to the agency at the end of the year, but each breach is counted separately, meaning an organization could experience multiple small breaches that add up to well over 500 individuals affected?yet still not be investigated because no single breach hit the 500 mark.
"It turns out that for breaches in healthcare, most of the time, the record count is under 500 records," Kam says. "So you have these organizations that are breaching multiple times and not really correcting the situation because it doesn’t get highlighted or investigated."
OCR’s instructions to its regional offices appear aimed to close that loophole. Along with phase two of the HIPAA audit program, this could be a sign that OCR is getting serious about collecting facts on HIPAA compliance in the real world and improving education and enforcement. The agency might be realizing that it’s time to change if it expects organizations to take HIPAA compliance seriously.
"If you’re seeing the same problem over and over, you’ve got to do something to change," Kam says. "So far, nobody’s listening."
Data breaches
The cost of a data breach
Complicated Medicare, Medicaid, and private insurer reimbursement rules can easily throw a hospital for a loop and leave it running dangerously low on revenue. An organization’s leaders know they must work better and smarter and make strategic investments that will pay off in savings, while privacy and security officers may sometimes struggle to make the connection between their concerns and those of leadership.
But sound information security programs act as a kind of insurance: money spent up front to protect against an even greater financial loss down the road. Getting that message across can be challenging, but may transform the way an organization approaches information security.
Getting the numbers
Prevention is better than a cure, but privacy and security officers will be expected to back up conventional wisdom with hard numbers. So just how much does a data breach cost on average? The answer depends on the industry, according to the Ponemon Institute’s 2016 Cost of Data Breach Study: Global Analysis (www-03.ibm.com/security/data-breach). The study, sponsored by IBM Security, tracks and analyzes data breach costs and mitigation factors in industries around the world. The average per record cost of a data breach is $ 158 in the U.S., but in the healthcare industry that cost is more than double that at $ 355 per record. That can add up quickly if an organization experiences multiple breaches a year.
Several factors play into the higher costs seen in the healthcare industry, Diana Kelley, executive security advisor at IBM Security, says. Highly regulated industries such as healthcare typically see higher costs for breaches in a combination of fines and administrative costs.
"Whenever there’s a fine coming into play, that could lift up the total cost of recovery post-breach because in addition to all of the work you have to do to eradicate the threat, help your customers, and deal with the cleanup and recovery, you have to pay these fines," she says.
A surprising factor driving breach costs is the cost of breach notification. At more than half a million dollars, the U.S. has higher breach notification costs than any of the other countries in the 2016 Ponemon survey. The U.S. has strong data breach notification laws, Kelley says, and there are both federal and state breach notification laws that organizations must comply with.
What drives that cost? Simply the price of first class postage can quickly add up when breach notification letters must be mailed to hundreds or even thousands of affected patients, Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts, says. In fact, the rising cost of postage is one way state and federal governments hope to encourage organizations to spend money on prevention rather than remediation.
"The threat of such costs is intended to be a deterrent to lax security and to spur healthcare organizations to do their best to avoid breaches," Borten says. "Some breaches are not avoidable, but many or most are with better, yet still reasonable, security."
Some organizations may only look at fines when calculating how much a breach could cost, but by overlooking the seemingly smaller costs of a breach they may be missing the bigger picture. Breach notification is only one of the smaller individual and indirect costs of a breach that can add up to significant losses. Legal fees, security forensics, and any necessary security replacements or upgrades are only some of the indirect costs. Indirect costs may not be immediately apparent but they hit an organization’s bottom line all the same, Borten says.
"The indirect costs of a breach are probably not well understood by many healthcare organizations, especially smaller organizations that don’t have a good grasp of the Breach Notification Rule and a comprehensive incident response program," she says.
The value of a medical record
Information security may not be a traditionally strong point for some healthcare organizations. Previously, financial and retail organizations were hot targets for hackers after identity and financial information, but healthcare is quickly overtaking those industries. In comparison to the financial industry, healthcare isn’t known for strong security, Borten says.
"One reason is that organizations have been slow to recognize the value of their data. After all, it’s not like money in a bank account or credit card details that can be used for financial identity theft," she says. "Ironically, healthcare data now has a much higher street value than credit card information."
Healthcare organizations are in a unique position because of the amount of data they hold. A retail organization like Target, which experienced a massive data breach in 2013, likely only stores payment card information and mailing addresses, but most healthcare organizations also store insurance information along with sensitive details of an individual’s health. A 2015 survey by the Ponemon Institute and the Medical Identity Fraud Alliance (MIFA), the Fifth Annual Study on Medical Identity Theft, found that more than two million adults were the victim of medical identity theft and fraud in 2014 and according to Ann Patterson, senior vice president and program director of MIFA, that number will only go up.
That prediction may be supported by some of the biggest breaches this year. In July, a hacker offered millions of patient records for sale and posted samples of the records, showing names, contact information, and Social Security numbers, so interested buyers could verify the records. Other incidents this year have seen hackers offering similar teasers. Some of that data is bound to fall into the wrong hands and be used for financial and medical identity theft. Medical identity theft can cost an individual more than $ 13,000 on average, according to the 2015 MIFA/Ponemon survey, but healthcare organizations inevitably wind up absorbing some of the cost in bad debt. (For more on medical identity theft, see the July and August issues of BOH.)
Timing and teamwork saves money
The 2016 Ponemon study drew a link between the cost of a data breach and the time and manner in which an organization responds to the breach. The longer it takes an organization to detect a breach, the more it costs?approximately $ 1 million more per incident, the survey shows. The average overall cost of a breach that took a mean time to identify of less than 100 days was $ 3.2 million, while those that took more than 100 days to be identified cost an average of $ 4.38 million. The time it takes an organization to contain a breach also impacts the overall cost, according to the study.
Having a security incident response team in place lowered the costs. An organized, planned team can act quickly to identify, contain, and remediate breaches, key factors in keeping breach costs down, Kelley says. And that can give a clear picture of the actual return on investment for security in terms that the C-suite will easily understand. "If you’re trying to argue for incident response and building out the incident response plan or growing that team, here’s some real dollar value that you could tie to what the return on investment could be," she says.
Participation in threat sharing also showed a clear win for organizations. Threat sharing can give organizations a heads up on the latest and most common threats and help them make smart security investments and strategic threat reduction measures.
"This is becoming very important in healthcare as it is in all industries," Kelley says. "The attackers are very organized and collaborative: they’re sharing data, they’re sharing their tips and tricks with each other so they can get data more effectively."
If information sharing is winning for the bad guys, it can do the same for the good guys, she adds. Cyber threats shift quickly, making real-time or near-real-time information crucial. Organizations can share information on threats, like suspicious websites and server addresses that launch phishing attacks, and tips on shutting them down. But some may hesitate to engage in information sharing out of concern that it may expose sensitive business and security information.
An IBM study released in February looked at the C-suite’s attitudes and actions on cybersecurity (www-03.ibm.com/press/us/en/pressrelease/49100.wss). More than half (53%) of respondents agreed that information sharing between organizations is important for cybersecurity, yet 68% said they were unwilling to do so. It’s not surprising that chief executive officers would be uncomfortable sharing information with rival organizations but it can be done without disclosing sensitive data, Kelley says.
"Nobody wants to give away the keys to the kingdom, and if you’ve been breached you don’t want to show everybody where you went wrong and how you went wrong," she says. "That’s not the kind of information sharing that we need to do to succeed. What we really need to share is what the bad guys are doing."
An organization doesn’t need to discuss its intellectual property, specific security controls, or other corporate secrets. The information an organization should share could be the general content of a phishing email, the IP address it was sent from, and the type of malware attached. This allows cybersecurity researchers and experts to create protections and update anti-malware and anti-virus software.
And as stakeholders and the Office of the National Coordinator of Health IT continue to push for interoperability, doing your part to ensure other organizations steer clear of hackers and malware could become even more important. "I think the more we tie systems together and we share with our partners, there are a couple things we can do. One of those is sharing information about threats," Kelley says.
Customer cost
No one likes to hear that their personal data has been breached, but how that dissatisfaction plays into the cost of a breach isn’t clear. According to the 2016 Ponemon study, the healthcare industry is the second most vulnerable to what it calls "churn"?a sharp drop in customers following a data breach. This may surprise those who assume healthcare is relatively immune to consumer pressure, but it’s supported by other trends that see healthcare becoming consumer-driven. It might also offer a clue as to how strongly some patients feel about breaches of PHI. It’s relatively simple to change banks, but changing healthcare insurers or providers is a more complicated process that takes more motivation, Kelley says.
"What’s it cost you to go from one bank to another bank if you don’t like their practices or they suffered a major breach?" she says. "Healthcare, it’s a little bit more difficult, but there’s still a level of choice and healthcare is very personal for people."
But privacy and security officers might want to rely on something other than consumer pressure to make the case for better security, Borten says. Often, patients simply have no better alternative and can’t switch providers or insurers if they’re unhappy over a data breach. And those who do switch may find themselves back in the same system after a few years.
"The reality is more complicated," she says. "As seen in some of the big retail breaches, after some initial falloff, customers come back in full force. In healthcare, some patients may not have other options: they may be locked in to a given provider by their health plan, or they may stay with an organization after a breach because they have long-established relationships they do not want to give up."
Cost conscious
Another recent study on the cost of data breaches by RAND raises questions about how the cost of a breach measures up against other financial risks organizations face. The RAND study, published in the Journal of Cybersecurity (http://cybersecurity.oxfordjournals.org/content/early/2016/08/08/cybsec.tyw001), found that the average cost of a data breach is roughly equal to an organization’s average IT budget, which is itself only 0.04% of an organization’s estimated revenue. The study authors suggest that public concerns about data breaches don’t match up with the relatively modest financial impact on organizations. Organizations, like individuals, are often motivated by self-interest and will not spend on risks that don’t have a significant impact on them; expecting them to act otherwise is not realistic, the study argues.
While that may in fact be the attitude of some executives when faced with competing demands and costs, the study leaves some significant questions unanswered. Bad debt is identified by the RAND study as the top financial risk for healthcare organizations, but data breaches can add to that cost. Victims of medical identity theft may be hit with thousands of dollars in medical expenses someone else racked up under their name. These fraudulent bills often wind up adding to an organization’s bad debt. Bad debt may often be a problem an organization can’t control, but by reducing data breaches, an organization can cut its risk of bad debt caused by medical identity theft.