HIPAA Security: A Decade of Breaches Marion K. Jenkins, PhD, FHIMSS

Chief Strategy Officer

3t Systems

DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.

Conflict of Interest

Marion K. Jenkins, PhD, FHIMSS

Has no real or apparent conflicts of interest to report.

© HIMSS 2015

Learning Objectives

1. Discuss the HIPAA Security Rule and how it relates to IT

best practices and security policies.

2. Identify the major root causes of the 900+ HIPAA breaches

reported by HHS, and identify how the mandated

remediation efforts are insufficient and ineffective, and how

they fail to correct the underlying issues.

3. Explain how the principles of IT best practices and effective

IT security policy development and compliance are both

necessary and sufficient to satisfy HIPAA Security Rule

compliance, and eliminate the true underlying causes of

HIPAA breaches.

4. Classify the primary HIPAA breach root causes in terms of

internal versus external, user-caused versus outsider-

caused, etc.

Learning Objectives: Pre-Quiz

1. Since HHS has been tracking HIPAA breaches since 2009, in the last year the

number of reported breaches has

A. Stayed about the same

B. Decreased significantly (e.g., by more than 25%)

C. Increased significantly (e.g., by more than 25%)

2. The true cause of most HIPAA breaches can best be traced to:

A. New technologies that have been developed since the original HIPAA

Security Rule became effective in 2005, and weren't covered back then.

B. Hackers and other nefarious external threats.

C. Internal employee behaviors, such as snooping.

D. Bad IT design, coupled with bad employee compliance behaviors, where

employees doing "legitimate" work end up defeating or working around

security procedures.

3. True/False: The best way to ensure HIPAA compliance is to make usernames

and passwords longer/more complex, and make users change them more

frequently.

The HIMSS Value STEPS of Health IT and this presentation:

• Satisfaction

– Patient Satisfaction: Patient trust and satisfaction is definitely

negatively impacted by the increased number of HIPAA

breaches.

• Treatment

• Electronic Information/Data

– Data Sharing and Reporting: Lack of HIPAA Security

compliance can limit data sharing among different healthcare

entities across boundaries of care.

• Prevention and Patient Education

• Savings

http://www.himss.org/ValueSuite

6

https://www.youtube.com/watch?v=5J67xJKpB6c

Video Clip:

If US Airlines worked like the US Healthcare System

Outline

• HIPAA Overview – key definitions, brief history

• Examples of HIPAA breaches to date

• The biggest HIPAA threats

• Real life HIPAA breach example

• Cloud – is it HIPAA compliant?

• Questions/discussion

7

HIPAA (one “P”, two “A”s)

• HIPAA Stands for:

– Health

– Insurance*

– Portability**

and

– Accountability

– Act

*(not information)

**(not privacy)

8

HIPAA Breaches - Some macro numbers

• HHS-reported HIPAA breaches since 2009

– 600 993 1185 breaches of more than 500 records each

– Total is over 22 31 133 million patient records affected

– Largest is 4.9 million records (SAIC – Service Provider)

80 MILLION records (Anthem; payor/healthplan)

– Smallest reported breach (and not on this list) is 441 records (Hospice of

Northern Idaho)

– Largest pending judgments are $3-4 BILLION in class action lawsuits

(Sutter Health, California) and $3-4 BILLION against SAIC (Service

Provider)

All data here and following graphs from:

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

9

HIPAA Breaches – Type of Breach

Theft 55%

Unauthorized access

19%

Loss 12%

All other 14%

10

Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

HIPAA Breaches – Source of Breach

Laptop 25%

Paper 23%

Portable 12%

Computer 11%

Server 10%

All other 19%

11

Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

HIPAA Breaches – Words (All Fields)

Theft 32%

Laptop 17%

Computer 12%

Portable 8%

Loss 8%

EHR 0.10%

All other 23%

12

Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Some Recent HIPAA Headlines

• Walgreens (1 record; ~$1.44 million judgment)

• Community Health Systems (2nd largest; hacking)

• LA Gay/Lesbian Clinic (hacking)

• Stanford Children’s Hospital (5X offender)

• Oregon Health Science Unit (4X offender)

• UCLA; Cedars Sanai (celebrity snooping)

• Hospice of Northern Idaho (441 records; 50K)

• Arizona Surgery Center ($100K fine)

• LabMD in Georgia is DOA (CEO is writing a book)

• Anthem Healthcare (80 million records; hacking)

• Premera (11 million records; hacking)

13

Time to dispel a big myth

• “My HIPAA Security situation is taken care of because I use a

certified EHR”

• Number of breaches that have been directly caused by or involved a

certified EHR:

ZERO!

14

HIPAA “Chapter and Verse*”

• HIPAA is contained in the Federal Register, CFR Parts 160,

162 & 164:

– Section 164.308 – Administrative

– Section 164.310 – Physical

– Section 164.312 – Technical

– Section 164.314 – Business Associate Arrangements

– Section 164.316 – Policies and Procedures

Documentation

*More than 500 pages !

15

HIPAA on a 3x5 Card:

What does the HIPAA Security Rule* Say?

• Covered Entities must protect and secure all electronic

protected health information (ePHI) against:

accidental or intentional causes of: unauthorized

access, theft, loss or destruction, from either internal

or external sources.

* HIPAA Security governs electronic records. HIPAA

Privacy governs paper records

16

Accidental Intentional

CAUSES

Internal

Threats External

Threats

HIPAA Security – Graphical Representation

Destruction

Loss Theft

Improper

Access

EPHI

17

Definition of ePHI

• “ePHI” is patient health information which is computer based (i.e., created, received, stored, maintained, processed and/or transmitted in, on or through any form of electronic means).

• “Electronic media” includes computers, laptops, memory sticks, USB drives, smartphones, PDAs, servers, data storage systems, backup tapes, disk drives, network systems, email, websites, digital printers/copiers/scanners, etc.

18

Things HIPAA doesn’t say…

• Length/complexity/change cycle of passwords

• Timeout or logoff time interval

• Type of encryption (e.g., technically WEP for WiFi is actually

HIPAA compliant)

• Version of OS such as Win 7, Svr 08 or higher (HIPAA

doesn’t name vendor names/products)

• Actually doesn’t mention laptops (or tablets, SmartPhones,

PDAs, etc.), just “workstations”

19

Is this the biggest HIPAA threat?

20

No, this is the biggest HC threat:

By far, the largest number of threats are caused by, or

enabled by, internal users – office and clinical staff*

*Unless you are a very large organization like Anthem…

21

HIPAA – A Brief History

• HIPAA signed by President Clinton in 1996

– Primary purpose was to make HC insurance portable

– Governed paper records

– Massive increase in administrative burden to HC

– Massive efforts on compliance and training

• HIPAA Security became effective in April 2005

– Most people were unaware or chose to ignore it

– They assumed “IT had it taken care of”

– Thought it was something they had already done

22

ARRA/HITECH Act 2009

• Part of “Meaningful Use” stimulus – up to $54K/ $63K for physicians, millions of

$$ for hospitals to adopt EHRs (Medicare/Medicaid)

• Max fines increased from $25,000 to $1.5 million

• Fines apply regardless of:

– Whether docs/facilities are seeking MU funds

– Whether docs/facilities qualify for MU funds (e.g., Ambulatory Surgery

Centers, self-pay, etc.)

– Whether the facility has or uses an EHR

23

P == Portability

• Old days:

– “Cradle-to-grave” patient/doctor relationship

– Records belonged to the practice/physician

– Patients generally could not even see them

• New world order:

– Fragmented HC delivery (specialists, clinics, etc.)

– Practices are caretakers of a larger patient record

– Patient “activism” – records “belong” to them

– Portability made safekeeping rules necessary

24

Close to home… …in Colorado

HIPAA is Very Real

25

26

You don’t

want to get

one of these

nasty

grams…

27

More bad

news…only 15

days to respond;

threatened

penalties

28

Even more bad

news…Freedom of

Information Act

may make this

public

Prior to 2/2009:

Up to $100 per violation

$25,000/year cap

After 2/2009:

$100 to $50K per violation

$1.5 MILLION/year cap

Yikes!

HIPAA compliance is not optional

• HIPAA compliance is required for practices and hospitals to

achieve Meaningful Use

• Annual risk assessments are required

• HHS is doing unannounced audits

• HIPAA compliance is required with/without EHR and

with/without Meaningful Use

31

Is “Cloud” HIPAA compliant?

• Some are; many are not

• Most public cloud services are inherently unsafe and are not HIPAA

compliant (but unfortunately they are used all the time):

– Examples: Gmail; Hotmail; FaceBook; AOL; Twitter; Flickr; iCloud;

basically anything that’s “free”

• Poorly designed/poorly run IT services are bad; moving them to the

cloud doesn’t fix them

• If a cloud provider refuses to sign a BAA or provide SLAs that’s a

showstopper

32

Cloud HIPAA Headlines

•“Mobility and Cloud [Are] Keys to Fulfilling Promise of

EMRs” (HealthcareIT News)

• “Cloud solutions allow healthcare organizations to

deliver critical patient data…” (IDG White Paper)

• "Use the Cloud to Reduce HIPAA Risk“ (HealthcareIT

News)

• “Google, Microsoft agree: Cloud is now safe enough to

use” (C|Net; Annual RSA Security Conference)

33

Key takeaway points

• HIPAA breaches are increasing dramatically

• No HIPAA breaches have occurred inside an EHR

• A certified EHR doesn’t guarantee compliance

• HIPAA compliance is not optional

• HIPAA breaches are not limited to big facilities

• Most breaches are user-caused/user-enabled

• Proper cloud services are one way to secure ePHI

34

Learning Objectives: Pre-Quiz (Answers)

1. Since HHS has been tracking HIPAA breaches since 2009, in the last year the

number of reported breaches has

A. Stayed about the same

B. Decreased significantly (e.g., by more than 25%)

C. Increased significantly (e.g., by more than 25%)

2. The true cause of most HIPAA breaches can best be traced to:

A. New technologies that have been developed since the original HIPAA Security

Rule became effective in 2005, and weren't covered back then.

B. Hackers and other nefarious external threats.

C. Internal employee behaviors, such as snooping.

D. Bad IT design, coupled with bad employee compliance behaviors, where

employees doing "legitimate" work end up defeating or working around security

procedures.

3. True/False: The best way to ensure HIPAA compliance is to make usernames and

passwords longer/more complex, and make users change them more frequently.

Review of HIMSS Value STEPS:

• Satisfaction

– Patient Satisfaction: Patient trust and satisfaction is definitely

negatively impacted by the increased number of HIPAA

breaches.

• Treatment

• Electronic Information/Data

– Data Sharing and Reporting: Lack of HIPAA Security

compliance can limit data sharing among different healthcare

entities across boundaries of care.

• Prevention and Patient Education

• Savings

http://www.himss.org/ValueSuite

Questions/More Information Marion K. Jenkins

PhD, FHIMSS

Chief Strategy Officer

3t Systems

303.918.8853

marion.jenkins@3tsystems.com