With so much to gripe about with the HITECH Act, I bet many
people missed a real devil in its details.
Under the old HIPAA rules, a breach was considered an event that was
defined as a disclosure that put an individual’s PHI at “significant” risk –
gotta love the specifics! To make things a little clear, the HITECH Act
alters the definition to a “presumption” that a breach of PHI has occurred if
that PHI is improperly handled or disclosed.
This can be abated if the healthcare entity can prove that there was a
“low risk” that the PHI was compromised.
Glad HHS cleared this up!
Technology in the healthcare sector is advancing
rapidly. Cloud, mobile, and other
technologies are reducing costs, giving patients more options, and assisting
healthcare providers in quickly identifying ailments. As a security professional, I can attest that
these technologies are not “low risk”.
The Act of simply transmitting data between vendors or simply being
connected to the Internet is inherently risky.
Large healthcare providers who have been dealing with HIPAA
for years have a head start on HITECH compliance. Mature security plans that safeguard data, IT
teams, and dedicated security professionals are commonplace. Because of this maturity, the larger
organizations can leverage these new technologies and reduce healthcare costs
putting them at a competitive advantage over the smaller service
providers. So what about the smaller
providers?
All said the smaller healthcare providers have some unique
advantages over their much larger counterparts.
For example, smaller service providers are less likely to have the
volumes of patient data to manage, less network connections to protect, and a
more intimate relationship with patients to help define the technologies that
most benefit the patient and the provider.
Knowing the risk appetites for both the patient and the service provider
are going to be crucial in how healthcare functions - a new dimension of the doctor-patient relationship.
To say the HITECH Act puts the business of smaller
healthcare providers at risk may be an understatement. The challenge will be leveraging new
technologies yet keeping risks low enough to stay off HHS’s website for
non-compliance – for sure a daunting challenge for the smaller service
providers. There will no doubt be a
delicate balance between reducing costs and providing good service. More importantly, as a new generation of
connected patients comes of age, market forces will dictate that PHI be mobile
and easily received. Here are a few
things to consider:
1)
Assess your current exposure. Before you implement any new technologies,
what new risks are you assuming by rolling out new technologies? Map those new risks to your current risk
mitigation plan and if you don’t have a plan, implement one!
2)
Transfer risk to your partners. HITECH obligates a legal chain of
accountability from one service provider to another. Make sure you clearly understand the
responsibilities of your partners, providers, and subcontractors if there is a
breach. Don’t get caught on this!
3)
Education. Real security happens at the human
level. Educate your staff as well as
patients to the implications of improperly using, transmitting, or handling
PHI. Humans are the weakest link in any
security strategy but it is far better to have educated humans than those that
“didn’t know” taking home a thumb drive with PHI on it was really bad!
With some forethought and planning, the future for small
service providers is equally as bright as the large ones. Wapack Labs knows the risks associated with
technology and how those risks can be mitigated. We offer full security
solutions for the small to medium service providers including HIPAA gap
analysis, security architecture, digital forensics, and advance threat
protection. If you have any questions
or comments, email me directly – rgamache@wapacklabs.com.
Rick Gamache is
Partner and Managing Director of Wapack Labs.
Rick is a CISSP with over 25 years in the security sector and has served
as an expert security auditor to the private and public sectors.
