The report examined a HIPAA oversight by a contracted Utah Department of Health employee that turned into one of the largest HIPAA breaches ever reported, affecting 780,000 people. Due to a server's weak default password and failure to manage the department's IT assets appropriately, hackers exploited the vulnerability, snatching up Social Security numbers, medical diagnostic codes and dates of birth. 

 

From this incident, Javelin Research estimated some 122,000 cases of fraud would occur, with the total cost pegged at a whopping $406 million and representing some 20 hours to resolve each fraud case per person. 

 

Moreover, the value of something like a Social Security number has an "indefinite shelf life," added Pascual. "These people are going to be at risk indefinitely," he said. 

 

"Having that much information, storing it all in one place, leaving it unencrypted, hiding it behind weak or default passwords, that would be wholly unacceptable in the financial industry," added Pascual. 

Then there's the issue of trust and how patients respond following the compromise of their protected health information. This patient response can signify serious long-term consequences for their health and wellbeing, as privacy advocates point out.  

 

"People refuse to see doctors for sensitive conditions because they know the information won't stay private. I'm talking about cancer, depression, sexually transmitted diseases," said Deborah Peel, MD, founder of Patient Privacy Rights, a non-profit consumer privacy watchdog organization, in a 2013 Health Privacy Summit video. "That's a tragedy when people who have very treatable, serious medical illnesses won't get care."

 

A 2014 Harvard School of Public Health study assessing the privacy perceptions of U.S. adults pertaining to their health data found more than 12 percent of some 1,500 respondents withheld information from care providers over medical security concerns. 

 

Applying this percentage to the national population represents a potential 38.2 million people withholding medical information from providers. What's more, this number doesn't even consider people who altogether forgo medical treatment due to data security concerns. 

 

Findings underscored "the need for enhanced and sustained measures to ensure the confidentiality, integrity and availability of PHI," researchers wrote. This particularly holds true when considering sensitive data like sexually transmitted infections, mental health disorders and drug misuse. 

 

The consequences of patients withholding information or forgoing treatment are numerous, ranging from less severe – perhaps missed opportunities for smoking cessation counseling due to nondisclosure – to serious medical care consequences and compromising surveillance system data quality. "Patients with infectious, notifiable conditions who withhold all or part of necessary medical information (including relevant travel or social history) may inadvertently put the lives of others at increased risk.

 

Furthermore, non-disclosure, underinformation or misinformation may jeopardize the data quality of healthcare surveillance systems," researchers concluded. 

 

Might the some 6,500 HIV positive patients who had their statuses accidentally sent in an email to 800 employees of the Palm Beach County Health Department think twice about going back? Or what about the 2,300 patients whose medical records and clinical lab results could be Googled online for a period of four months last year like what transpired at the New York-based Glens Falls Hospital. Cases like these are far from uncommon, not to mention their far-reaching consequences for patient and provider alike.  

As anyone who's ever worked for IT security can attest to, the job is no walk in the park. It's hard work. It's never-ending, and new threats, compliance mandates, vulnerabilities and updates are constantly arising. With strong leadership and a culture of compliance and responsibility to match, however, many healthcare organizations have illustrated it can be done right, and well.

 

Beth Israel Deaconess Medical Center's Chief Information Officer John Halamka, MD, said for this kind of career, it's a matter of first understanding: "A CIO has limited authority but infinite accountability." You have to ask, "How do you reduce risk to the point where government regulators and, more importantly, patients will say, 'what you have done is reasonable,'" he said.

 

This involves thinking about how to encrypt every device, how to protect the data center from both internal and external attacks. "Much of what I have to do is meet with my business owners and ask, 'what are the risks? Reputational risks? Patient privacy breach risks? Data integrity risks? We're never going to be perfect," he added. "But we can put in place, what I call, a 'multilayer defense.'"

 

 

 

Another fundamental piece to doing privacy and security right? No surprise here: Get your risk analysis done – properly. "This is the single most important document as part of the OCR investigation," said Sessions. "(OCR is) asking for the current one; they are asking for two, three, five years back. They want to see the evolution of what was going on from a risk analysis standpoint at your institution to see if you were appreciating the risk."

 

This includes safeguards your organization has put in place from technical, physical and administrative standpoints, explained Sessions. Things like staff training and education, penetration tests, cable locks or trackers for unencrypted devices all matter. 

 

"Encrypt; encrypt; encrypt," said Sessions. It's a safe harbor for the HIPAA breach notification requirements, but that still fails to motivate some. 

 

"(Physical theft and loss) is the biggest hands down problem in healthcare that we are seeing," said Suzanne Widup, senior analyst on the Verizon RISK team, discussing the 2014 annual Verizon breach report released in April. "It really surprises me that this is still such a big problem ... other industries seem to have gotten this fairly clearly."

 

According to OCR data, theft and loss of unencrypted laptops and devices account for the lion's share of HIPAA privacy and security breaches, nearing 60 percent. (Hacking accounts for some 7 percent, and unauthorized disclosure accounts for 16 percent).

 

"Pay attention to encryption, for any devices that can leave the office," said former OCR deputy director for health information privacy Susan McAndrew at HIMSS14 this past February.

 

Of course, the healthcare breach numbers are going to be slightly higher because the federal government has mandated specific HIPAA privacy and security breach notification requirements for organizations, but that has no bearing on the reality that these organizations still fail to implement basic encryption practices, Widup pointed out. 

 

Admitted Hostetler's Sessions, it is a pricing concern. "At a time where reimbursements are going down and technology costs are going up with the advent of the electronic health record, there are competing priorities within a healthcare organization of where they can spend their money."

 

Full disk encryption costs are currently estimated to be around $232 per user, per year, on average, according to a 2011 Ponemon Institute report, a number representing the total cost of ownership. And that number could go as high as $399 per users, per year, the data suggest. 

 

Kaiser Permanente Chief Security Officer and Technology Risk Officer Jim Doggett, however, said encryption presents a challenge not only because of costs but also because of the data itself. "The quantity of data is huge," he told Healthcare IT News. 

 

The 38-hospital health system encrypts data on endpoint devices in addition to sensitive data in transit, said Doggett, who currently leads a 300-person technology risk management team, in charge of 273,000 desktop computers, 65,000 laptops, 21,700 smartphones and 21,000 servers. And don't forget the health data of some 9 million Kaiser members Doggett and his team are responsible for. "This kind of scale presents unique challenges, and calls for the rigor and vigilance of not only the technology teams but of every staff member across Kaiser Permanente," he added. 

                                                   ________________________________________________________________  

Encryption is also deployed enterprise-wide by the folks at Mayo Clinic. In addition to encrypting Mayo-issued laptops, tablets, flash drives, etc, any outgoing email unless it's going to a Mayo.edu address must be encrypted if it contains protected health information, said Barbara McCarthy, health information management services and privacy officer of Mayo Clinic in Florida.