- Utilizing better communication, implementing a universal HIPAA audit certification system, and embracing cyber insurance are just some of the recommendations for better healthcare data breach prevention recently put forth by the Brookings Institution.
Brookings Institution’s Center for Technology Innovation Fellow Niam Yaraghia discussed some of the underlying factors in healthcare data breaches, as well as current obstacles organizations are facing.
Yaraghia and fellow researchers conducted 22 in-depth interviews with “key personnel at a variety of health care providers, health insurance companies, and their business associates,” according to the report.
The healthcare industry is more vulnerable to privacy breaches because it holds more valuable data for hackers, the paper explained, and that data is being stored in large volumes for a long time. Moreover, healthcare embraced information technology too late and too fast, and did not have strong financial incentives at first to prevent privacy breaches.
“Every breach is an expensive learning experience for the involved organizations. Yet, the lessons learned from these tragic experiences are rarely documented and are never shared with other entities in the industry,”Yaraghia wrote. “ As long as the factors that lead to privacy breaches are not documented and shared, others are equally likely to experience the same incidents in the future.”
Citing data from the Office for Civil Rights, Yaraghia added that more than 155 million Americans have had their medical information exposed without their permission since 2009. This stems from approximately 1,500 breach incidents.
Another key finding from the report is that more individuals are being given access to healthcare information than before. In the push for integrated care, more organizations are utilizing data sharing. This extended access also increases the risk of a healthcare data breach.
“Privacy breaches used to have little to no effect on the revenue stream of health care organizations, and thus, they did not have strong economic incentives to invest in digital security and patient privacy,” the report explained. “In addition to the high remediation costs, new types of cyber-attacks, specifically ransomware attacks, now threaten the core businesses of hospitals. Thus, they have much higher economic incentives to invest in information security.”
Not only does patient privacy need to be better prioritized, but healthcare organizations need to take advantage of the existing knowledge and technology for breach prevention. Such resources need to be utilized to their full potential.
Better communication between industry stakeholders will also play a key role in curbing future data breaches.
“Information sharing about security technologies, privacy policies, and breach incidents should take place among health care organizations and also between health care organizations and federal agencies,” according to Yaraghia. “Health care organizations should be encouraged to use the full potential of currently available platforms to better share information amongst themselves.”
A universal HIPAA audit certification program can also assist in data breach prevention. OCR audits serve more as a punishment, and the agency should focus more on prevention. Implementing random audits before an incident, will ensure that a breach does not occur in the first place.
“OCR should accredit certification agencies that can conduct preventive audits in accordance with OCR standards and certify the compliant organizations,” Yaraghia maintains.
Another key recommendation in the research was for healthcare organizations to take advantage of cyber insurance. This will give entities “a direct economic incentive to reduce their cyber insurance premiums by addressing their security weaknesses and preventing privacy breaches.”
Additionally, cyber insurance companies will be conducting regular audits of their healthcare organization clients to ensure that they are utilizing appropriate privacy measures.
“In the long run, a cyber insurance market can fundamentally improve how patient privacy is viewed and managed in the health care sector.”
The interviewed personnel also said that HIPAA regulations were not prescriptive enough, and that the lack of specificity often makes it difficult to know what security measures to put in place.
“HIPAA says that physical security should be in place, but does not mention if you need locks or cameras or both, or how many locks, or what types of locks,” one of the interview subjects explained. “It only says that organizations should increase their employees’ awareness about privacy, but it does not say if they need annual training or quarterly training or frequent tips. We never know if we are complying with HIPAA or not.”
A clear set of requirements would be beneficial because it would be easier for healthcare organizations to evaluate implementation costs, according to Yaraghia.
HIPAA regulations also do not address modern cybersecurity challenges, interviewees maintained. This was found to be especially true for large academic hospitals, and that “[HIPAA] falls short of expectations when it comes to more advanced challenges of modern cybersecurity that larger organizations with more sophisticated IT capabilities are facing.”
“HIPAA is like the basic driving lessons that teach one how to drive under normal conditions in the city,” Yaraghia wrote. “However, these basic lessons are not enough to become a professional race car driver.”
Image Credit: Brookings Institution