Register to receive a printed copy(For Lexis Practice Advisor® Subscribers Only)
Lexis Practice Advisor®Free Trial
Learn More AboutLexis Practice Advisor®
By: Kimbely Metzger, Ice Miller.
Medical identity theft, and incomplete patient disclosure due to cybersecurity concerns, can be dangerous—even deadly—to individuals and can compromise community wellness. Breaches of health information can have serious economic and other consequences for providers as well. This article discusses the cybersecurity landscape in health care, medical identity theft, patient disclosures, and the implementation of a security management program for health information.
BREACHES OF HEALTH INFORMATION CAN HAVE SERIOUS consequences for both providers and patients. It is easy to imagine the financial implications of cybersecurity incidents and data breaches.1 The effort and expense associated with investigation, forensics, mitigation of damages, lost good will and reputation, billing problems, and the monitoring and untangling of consumer credit are significant and can have far-reaching effects for all parties.
While monetary losses are a large and well-known part of an incident or breach, compromised data security at health organizations can also contribute to a less recognized but perhaps more insidious problem: poorer health outcomes.
Health organizations hold a wide variety of highly confidential, personally identifying information (PII) that can wreak havoc in the wrong hands. Names, addresses, dates of birth, Social Security and driver’s license numbers, and financial account information are data points with which wrongdoers traditionally seek to commit financial identity theft. Records from health organizations contain this information and more. By their very nature, health records include data of an extremely private and personal nature related to patients’ overall physical condition, disease states, medical ailments, disabilities, and insurance, including Medicare, Medicaid, and Social Security (medical PII). Breach and misuse of medical PII, or even the perceived risk of breach or misuse, can cause physical as well as financial harm. As Federal Trade Commission (FTC) commissioner Terrell McSweeney remarked in March 2015:
Because health records contain information that could be particularly embarrassing if disclosed, a patient who is insecure about a provider’s data practices might fear revealing sensitive, but highly relevant, medical information such as smoking status, risky sexual behavior, drug or alcohol use, and mental health concerns. If an incident or breach actually occurs, a patient’s medical PII could be used to commit medical identity theft (the fraudulent use of medical credentials to receive or bill for health care), resulting in a “mixed medical record” and serious physical harm to the patient.
Security incidents and data breaches are prevalent in health organizations. From cyberattacks and systems failures to employee negligence and malicious insiders, the question is really no longer if, but when and how, an incident or breach will occur. Small health care providers, who believe their size and low profile immunize them from attack, may actually be at higher risk because they are less likely to take protective action (and criminals know this).
The Ponemon Institute’s recently published Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data paints an unsettling picture: during the last two years, 65% of represented health care organizations experienced electronic-based security incidents and 54% experienced paper-based security incidents. More than 90% had a data breach, and 40% had more than five breaches. The study estimates that the health care industry accounted for 44% of all 2013 data breaches—more than any other economic sector.
Several factors have converged to create a perfect storm on the health care landscape. First, electronic medical PII is more available than ever before. Both the American Recovery and Reinvestment Act and the Affordable Care Act incentivize—and sometimes require—health care providers to digitize patient data. Second, medical PII has high black market value. While estimates vary, one cybersecurity expert who monitored underground transactions posits that stolen health credentials can command 10–20 times the price of a U.S. credit card number.3 Third, health organizations have lagged behind the more traditional targets (financial services and retail) in cybersecurity savvy. Because the transition to digitized health data is relatively recent, the health care sector was simply not pushed to prepare earlier. In April 2014, the Federal Bureau of Investigation (FBI) issued a private industry notification to health care providers warning “[t]he healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely . . . .”4 Cybercriminals recognize that medical PII is a lucrative asset in a less secure environment.
Despite the “universal risk for data breach,” the Ponemon study found that health organizations are not, overall, particularly confident in their ability to detect and respond to incidents and breaches:
The study concludes:
Medical identity theft occurs when a wrongdoer uses health credentials to fraudulently bill for goods or services, or to obtain health care in someone else’s name. The wrongdoer may accomplish this with the true patient’s consent—for example, when the true patient shares health credentials with an uninsured family member or friend—or by stealing the true patient’s medical PII. Medical identity theft is underappreciated but on the rise. The Ponemon Institute estimates the number of victims increased from more than 1.5 million in 2012 to more than 1.8 million in 2013.7
Like its financial counterpart, medical identity theft can cause monetary loss, damaged credit, and reputational harm. Medical identity theft is unique, however, in its ability to cause physical injury via a “mixed medical record.” When a person obtains medical care in another’s name, the fraudulent user’s medical information is integrated with the true patient’s information in a single, corrupted medical record that does not accurately reflect the true patient’s health condition. It is easy to imagine the potential for harm: The fraudulent user’s blood type is given to the true patient, who has a different blood type. The fraudulent user’s medication allergies are attributed to the true patient, who either receives a medicine to which she is allergic, or is denied a medicine to which she is not allergic. The fraudulent user’s “no medications” history is attributed to the true patient, who is given a medicine that interacts with another that he is, in fact, taking.
These potential harms are more than theoretical. The 2013 Poneman survey queried 788 adults who reported they, or a close family member, were the victim of medical identity theft. Of those surveyed:
Medical identity theft is clearly a quality of care issue.
Health care providers’ cybersecurity practices, and patients’ perceptions of those practices, may have profound effects on both patients and public health. A 2014 study by researchers at the Harvard School of Public Health showed that patients who are concerned about their health care provider’s cybersecurity practices are more likely to withhold medical information.
According to this study, more than 12% of respondents had withheld information from their provider because of security concerns.8 Federal government statistics indicate an even higher rate of withholding: compared to the overall population, individuals who strongly disagree that health care providers have reasonable protections in place for electronic health records are almost five times more likely to have withheld information from their provider (33% vs. 7%).9
This withholding impacts both patient care and public health:
Most adults are, naturally, interested in their providers’ health information practices. While the 2014 study has limitations, it indicates—and common sense dictates—that if a patient is concerned about the privacy and security of health records, he or she will be less likely to disclose sensitive health information. This, too, is a quality of care issue as well as a public health concern.
Risk management is essential to every organization. While it is impossible to prevent every security incident and data breach, a security management program helps an organization build a culture of concern, determine potential exposure, and appropriately manage risk to an acceptable level. This, in turn, contributes to better individual and community health outcomes by building patient trust and maintaining the integrity of health records. A robust program also helps health organizations meet applicable state and federal standards, including those found in the HIPAA Privacy and Security Rules and the Medicare and Medicaid EHR Incentive (Meaningful Use) Programs.11 Finally, a strong data management program can help businesses successfully resolve consumer complaints; limit audits, enforcement actions, and penalties by the Department of Health and Human Services Office for Civil Rights (OCR, which enforces HIPAA) or the Federal Trade Commission (which enforces the prohibition against unfair and deceptive trade practices); and reduce liability under other applicable state and federal law.
Reasonableness is the cornerstone of the OCR and FTC approaches to data security. For example, the FTC states that a business’s data security measures must be “reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities.”12 Many aspects of a program are therefore flexible and scalable to the specific needs of an individual organization. However, successful security management programs share key components.
In its 2015 Guide to Privacy and Security of Electronic Health Information,13 the Office of the National Coordinator for Health Information Technology (ONC) provides a sample approach for implementing a security management process in health care. While this approach does not address all the requirements of Meaningful Use or the HIPAA Security Rule, it provides a basic framework for compliance:
STEP 1: Establish a culture of compliance, select a team, and build a knowledge base. This will include designating a security officer, using qualified professionals to assist with a risk analysis, and promoting an organization-wide culture of protecting privacy and securing PII.
STEP 2: Document the organization’s process, findings, and actions. These records will serve as an accurate record for the workforce and will prove essential if the organization is subject to a compliance audit.
STEP 3: Perform a Security Risk Analysis. The risk analysis assesses potential threats and vulnerabilities to the confidentiality, integrity, and availability of electronic PII. In general, the risk analysis will involve determining where electronic PII exists and how it is created, received, maintained, and transmitted (creation of a “data map”); identifying potential threats and vulnerabilities to the data; and evaluating risks and their associated levels—how likely it is that threats will exploit existing vulnerabilities and how this will impact the confidentiality, integrity, and availability of data. The results will inform the organization’s risk management strategy.
STEP 4: Develop an action plan. This involves mitigating the potential risks identified by the Security Risk Analysis, focusing on high priority threats and vulnerabilities. The action plan should account for the organization’s characteristics and environment—and be feasible and affordable. The action plan should include administrative, physical, and technical safeguards; organizational standards; and policies and procedures.
STEP 5: Manage and mitigate risk. This involves implementing the action plan, educating and training the workforce, communicating with patients, and updating vendor contracts.
STEP 6: Monitor, audit, and update security on an ongoing basis. This involves both monitoring the adequacy and effectiveness of the security infrastructure and making needed changes, and maintaining retrospective documentation such as an audit log of who, what, when, where, and how PII has been accessed.
The ONC also offers its Top 10 Tips for Cybersecurity in Health Care,14 generally applicable to organizations of all sizes:
The security of PII is a quality of care issue. Patient concerns can impact disclosure of important health information, and breach of medical PII can lead—among other things—to medical identity theft, a mixed medical record, and physical harm to the patient. While electronic health records offer many benefits to patient care, they also offer new and complex avenues for breach. Wrongdoers recognize both the value of health data and its ever-increasing availability. They will exploit vulnerabilities to obtain this data, regardless of the organization’s size or profile.
A robust security management program will guide organizations in identifying their own security holes and threat environment and in implementing a mitigation strategy to reduce potential harm to both the entity and its patients. Successful programs share key components, which may be mandated by applicable state or federal law, such as the HIPAA Security Rule. However, programs are also flexible and scalable to the organization’s size and complexity, the amount of PII it holds, and available resources.
Because patient perception may impact disclosure and thereby quality of care, organizations should proactively communicate with patients about cybersecurity. Communications should emphasize that the organization places a priority on the security and confidentiality of PII, including health information. These communications should be culturally appropriate and take into account any particular needs of the patient population.
Most importantly, the organization should back these communications with documented, ongoing efforts to achieve and maintain a culture of commitment to the privacy and security of patient data. By achieving compliance, health organizations can protect both themselves and their patients and improve the quality of individual care and community health.
Kimberly C. Metzger is a partner in Ice Miller LLP’s litigation group, concentrating her practice in drug and device litigation and data privacy and security, particularly HIPAA privacy compliance. She may be reached at email@example.com.
Article Courtesy of Pratt’s Privacy & Cybersecurity Law Report, Volume 2, No. 2
Copyright © 2016. Matthew Bender & Company, Inc., a member of the LexisNexis Group. All rights reserved. Materials reproduced from Pratt’s Privacy & Cybersecurity Law Report, Volume 2, No. 2, with permission of Matthew Bender & Company, Inc. No part of this document may be copied, photocopied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole or in part, without prior written consent of Matthew Bender & Company, Inc.
1. A useful definition of security incident can be found in the HIPAA Security Rule: “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” 45 C.F.R. § 164.304. A breach typically refers to an actual unauthorized acquisition, access, use, or disclosure that compromises the security or privacy of unsecured data. 2. Terrell McSweeney, Commissioner, Fed. Trade Comm’n, Remarks to the Identity Theft Resource Center, Washington, D.C., (Mar. 18, 2015). 3. Caroline Humer and Jim Finkle, Your Medical Record is Worth More to Hackers than Your Credit Card Number, reuters (Sept. 24, 2014), http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals- idUSKCN0HJ21I20140924. 4. Jim Finkle, Exclusive: FBI Warns Healthcare Sector Vulnerable to Cyber Attacks, Reuters (Apr. 23, 2014), http://www.reuters.com/article/2014/04/23/us-cybersecurity-healthcare-fbi-exclusiv-idUSBREA3M1Q920140423. 5. Ponemon Institute, Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data 3 (May 2015). 6. Id. at 26. 7. Ponemon InstItute, 2013 survey on meDICal IDentIty tHeft, 5 (Sept. 11, 2013). 8. I.T. Agaku, A.O. Adisa, O.A. Ayo-Yusuf & G.N. Connolly, Concern about Security and Privacy, and Perceived Control Over Collection and Use of Health Information are Related to Withholding of Health Information from Healthcare Providers, J. am. meD. Info. assoC. 21:375 (2014). 9. Penelope Hughes, Vaishali Patel & Joy Pritts, Health Care Providers’ Role in Protecting EHRs: Implications for Consumer Support of EHRs, HIE and Patient-Provider Communication, 15 ONC Data Brief (Feb. 2014). 10. See Agaku et al., supra note 8, at 377. 11. Health organizations may also have to comply with other privacy and security laws and requirements, including those in or promulgated by 42 C.F.R. Part 2 (confidentiality of alcohol and drug abuse records), the Family Educational Rights and Privacy Act (FERPA), Title X of the Public Health Service Act, the Genetic Information Nondiscrimination Act (GINA), private-sector contracts, state law, state boards of medicine, state associations, etc. 12. Federal Trade Commission, Data Breach on the Rise: Protecting Personal Information From Harm. Prepared Statement before the Committee on Homeland Security and Governmental Affairs, U.S. Senate, Washington, D.C., (Apr. 2, 2014). 13. The Office of the National Coordinator for Health Information Technology, Guide to Privacy and Security of Electronic Health Information (Apr. 2015), https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf. 14. Department of Health & Human Services, Top 10 Tips for Cybersecurity in Health Care, https://www.healthit.gov/ sites/default/files/Top_10_Tips_for_Cybersecurity.pdf.