Here is latest monthly blog from the HIMSS Privacy and Security Committee…called PSST! Keep reading to learn more about this month’s topic –Security Culture – The Key to HIPAA Compliance by HIMSS P&S Committee member James Brady, PhD, CISSP, CISM, CRISC, CHP, PMP, CPHIMS, FHIMSS, Area Information Officer, Kaiser Permanente Orange County
It is no surprise that data breaches are still a top concern for healthcare providers. Anyone reading up on important healthcare events cannot help but notice the continuous reporting of breaches by many healthcare organizations. We all know that compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is at the forefront of many healthcare organization’s strategic list of priorities.
Many organizations have started to perform privacy and security risk assessments in order to qualify for the Meaningful Use of Electronic Health Records (EHRs) incentives, and to position themselves to avoid costly penalties that can result from Office of Civil Rights (OCR) audits. Security frameworks, such as Health Information Trust Alliance (HITRUST) and International Organization for Standardization (ISO) 27001, are finding increased adoption within health systems. More of the top security leaders in healthcare organizations, the Chief Information Security Officers (CISOs) or Chief Security Officers (CSOs), are beginning to gain a seat at the executive table. In addition, many advances have been made with technical security tools, such as Security Information and Event Management (SIEM) systems, Intrusion Detection Systems (IDS), and Data Loss Prevention (DLP) technologies to better protect an organization’s information.
We are certainly experiencing unprecedented times, where information security has never had the attention of both healthcare leaders as well as the general public.
But if we are experiencing these groundbreaking advances, why is the state of healthcare information security still lacking? Recent findings suggest that an organization’s security culture is one of the important keys to achieving HIPAA compliance. How is this the case? To understand this, let us first take a look at what HIPAA requires.
The HIPAA Security Rule outlines administrative, technical, and physical safeguards for the protection of electronic protected health information, and requires that organizations institute both policies and the management of people to achieve satisfactory compliance. Interestingly, recent findings by the Ponemon Institute in its 2013 Cost of Data Breach Study: Global Analysis study have been that malicious or criminal attacks by hackers or criminal insiders (i.e., employees, contractors or other third parties) are most often the cause of data breach globally with over 37 percent of incidents and an additional 35 percent of breaches involving a negligent insider (e.g., an employee or a contractor working with authorized access within the organization). As further explained by the Ponemon Institute in its 2013 study, “negligent insiders” are “individuals who cause a data breach because of their carelessness, as determined in a post data breach investigation.” Accordingly, organizations may want to consider addressing these internal and external threats as part of their information security program and also develop a culture of security-minded workforce members to mitigate these threats (including addressing the problem of negligent insiders). Not only will this improve the organization’s risk management process, but it may also help the organization with its HIPAA compliance efforts with this holistic-based approach to information security.
According to a HealthcareInfoSecurity article of February 5, 2013, Massachusetts General Hospital, owned by Partners Healthcare, paid $1 million as part of a federal settlement after a breach involving lost documents containing patient information. As a result of the breach, a series of steps was taken to change their corporate culture, namely, emphasizing the importance of privacy and security, reprioritizing user training and awareness, and having honest conversations about the privacy and security of patients. In the article, Jennings Aske, who oversees both information security and privacy at Partners Healthcare, stated that this event has “led to a cultural change where people are now self-reporting incidents” and that what he has seen is “a cultural change from the top down, in terms of trying to be compliant and trying to report if there’s an incident.”
In an interview with CIO.com on December 19, 2012, Mac McMillan, CEO of the security consulting firm CynergisTek, recently shared that the increased use of EHRs has made it difficult for many healthcare organizations to establish a culture of privacy and security. He indicated that there are several reasons for this. These included the following:
- Security is rarely discussed at healthcare organization board meetings, even though every facility has security problems.
- The CISO is often buried in the organizational chart, several steps from the CEO.
- Less than 50 percent of healthcare IT security professionals have either the credentials or the experience necessary to put together a budget.
- The amount of the IT budget devoted to security is often less than 1 percent at healthcare organizations, compared to 6 to 12 percent in other regulated industries.
McMillan concluded that healthcare’s security culture leaves a lot to be desired because leaders don’t take security seriously and employees simply follow that example.
Important to note is that small physician practices can also benefit from developing a security culture. According to a press release of April 17, 2012, the U.S. Department of Health and Human Services (HHS) reached a $100,000 settlement with Phoenix Cardiac Surgery, a physician practice group, over alleged HIPAA violations. Subsequent to this incident, Joy Pritts, the Chief Privacy Officer at Office of the National Coordinator for Health Information Technology (ONC) at HHS emphasized the importance of building a privacy and security culture in her keynote presentation at the iHT2 Health IT Summit in Atlanta, noting that building a privacy and security culture in healthcare organizations is critical, with tangible benefits being compliance with HIPAA, good business, and just doing the right thing to ensure patient trust.
The above information, along with an increasing number articles and research findings, point to the benefits achieved by organizations which have developed a culture of security. For those looking for guidance on developing a security culture, a Cisco article provides five tactics which organizations should consider:
- Align Information Security with Business Strategy – Align information security with business strategy so that information security is seen as a business enabler instead of a hindrance to productivity.
- Practice Risk Transference – Raise security awareness to the business level, thereby making security a priority within the organization.
- Create Security Process for Leadership – Add security process into your leadership team’s behaviors, including your organization’s executives and their administrative support teams.
- Keep Executives Informed – Make sure executives are apprised of incidents on a regular basis to proactively ensure that the executives are not only aware of incidents, but educated about actual events.
- Talk about Security in Business Terms – Use statistical and financial models to demonstrate that spending money on prevention allows for savings each and every year.