If Your Healthcare Data is Leaked Chances are Your Doctor’s Office, not an Evil Hacker, is to Blame
New research from Michigan State and Johns Hopkins Universities show that failed internal information handling and negligence at healthcare providers’ offices accounts for more than half of personal health information (PHI) breaches.
I don’t know how to cure cancer or how to stop accidental deaths that occur at healthcare facilities, nor do I know how or why health care costs have become what they are. However, thanks to some very sound science which supports my profession, I know how to reduce data leakage. I can’t say exactly how we can bring data protection science into wide adoption by the healthcare industry, but I do hope that a knowledgeable public (you and me) can be part of that process.
Let’s take a close look at where the leaks are most prevalent.
The research shows that 53 percent of unauthorized access or disclosure was the result of healthcare employees “accidently” sharing information by taking it home, sending it through unencrypted email to the wrong recipients, incorrectly copying or storing information and placing the data on personal devices.
What can be done to stop these kinds of leaks?
While we cannot make humans perfect, we do know that well planned and executed security awareness training greatly reduces this kind of data leakage, especially if it takes into account human learning theory and knowledge of cognitive biases. Security awareness programs combined with good security policy and controls have been shown to be highly effective in solving exactly these kinds of breaches.
Good news is that security awareness training programs are some of the least expensive and best “bang for the buck” information security controls. If done well they could do more to boost healthcare industry profits than they cost to implement.
How can we get healthcare providers to use effective techniques to protect our health information?
Healthcare providers failing to provide adequate protection of our information is nothing new. Even back before computers and networking was prevalent, the U.S. Government realized there was a problem so it created the Health Insurance Portability and Accountability Act, or HIPAA, originally known as the Kennedy-Kassebaum Bill, a set of regulations that became law in 1996.
So why didn’t HIPAA “solve” everything?
Opinions vary but if enacting regulations could solve every complex and evolving problem the world would be a different place than it is today. HIPAA has indeed made a difference. In many ways your personal information is safer now that we have HIPAA, but the government solution also created cumbersome complications and bottlenecks.
Often the best solutions are created by those that know their own business when they work in cooperation with subject experts. The billion dollar question is how do we successfully encourage industries like healthcare to take such actions?
Consider the old adage “You can take a horse to water but you can’t make him drink.” Or CAN you?
In the case of HIPAA we took the horse and threw him in the lake hoping that some water might get swallowed in the process.
We know that many in the healthcare industry dread more than appreciate the regulations of HIPAA and simply “check the box” when it comes to security compliance, rather than actually taking the issue to heart. HIPAA requires that security awareness training be given to everyone that handles personal health information, so why has that not solved the problem? Security awareness training, when perceived by healthcare employees as government mandated “red tape” will not be taken seriously.
Some emerging market changes might bring new hope for getting our horse to drink.
While we might like to think that the healthcare industry runs solely on a desire to help our fellow man, in reality it is driven by money and competition.
I am sure most of us have seen billboards, commercials and other marketing materials by healthcare providers trying to convince their potential customers of how good their technology, doctors and staff are. What if you could easily look up the security reputation and compliance of any doctor or health care facility and use that to look for your best source of care? That day might be close.
A number of companies are producing independent security ratings of all types or organizations. Much like an insurance company might use your credit rating to determine the cost of your car insurance, in the near future health insurers might put pressure on healthcare organizations to have a passing security rating.
Well-informed consumers such as yourself or your company might wish to work with SecurityScorecard or other similar products to check on the security reputation when choosing heathcare providers.
Perhaps an independent body, much like the medical boards we have today, could make a product compliance rating much like “USDA Approved” or “UL Labs Tested” that would be proudly displayed and lead to more informed healthcare buying decisions across and within the industry.
There is no silver bullet. Motivations are often associated with a cartoon of a donkey presented with a rod and a carrot. HIPAA is the rod and we know how that has worked. Informed consumers and industry insiders can be a powerful carrot if we can find the right way to make decision makers well-informed.
You can make a difference. If you work in the industry please ask for and seek out good security awareness training that goes beyond a check box and boring videos. If you are not in a role that directly works with security and policy, perhaps you can influence marketing by showing them your security report and talking about competitive advantages. If you do work with policy and have significant organizational influence, seek out the services of a trusted security advisor. A trusted security advisor can help you raise awareness and make an effective plan to put your organization on a path to what is known as security maturity. An organization that has security maturity has turned security into a process that enforces business practices rather than hindering them.
If you are going to partner with an organization that does healthcare, look up their security score and show it to them. Perhaps it will become the competitive advantage and driving force that gets us back to worrying more about evil hackers than healthcare worker negligence.