Tuesday, September 3, 2013

The Collision of Privacy and the Digital Age

With so much to gripe about with the HITECH Act, I bet many people missed a real devil in its details.  Under the old HIPAA rules, a breach was considered an event that was defined as a disclosure that put an individual’s PHI at “significant” risk – gotta love  the specifics!  To make things a little clear, the HITECH Act alters the definition to a “presumption” that a breach of PHI has occurred if that PHI is improperly handled or disclosed.  This can be abated if the healthcare entity can prove that there was a “low risk” that the PHI was compromised.  Glad HHS cleared this up!

Technology in the healthcare sector is advancing rapidly.  Cloud, mobile, and other technologies are reducing costs, giving patients more options, and assisting healthcare providers in quickly identifying ailments.  As a security professional, I can attest that these technologies are not “low risk”.  The Act of simply transmitting data between vendors or simply being connected to the Internet is inherently risky. 

Large healthcare providers who have been dealing with HIPAA for years have a head start on HITECH compliance.  Mature security plans that safeguard data, IT teams, and dedicated security professionals are commonplace.  Because of this maturity, the larger organizations can leverage these new technologies and reduce healthcare costs putting them at a competitive advantage over the smaller service providers.  So what about the smaller providers?

All said the smaller healthcare providers have some unique advantages over their much larger counterparts.  For example, smaller service providers are less likely to have the volumes of patient data to manage, less network connections to protect, and a more intimate relationship with patients to help define the technologies that most benefit the patient and the provider.  Knowing the risk appetites for both the patient and the service provider are going to be crucial in how healthcare functions - a new dimension of the doctor-patient relationship.

To say the HITECH Act puts the business of smaller healthcare providers at risk may be an understatement.   The challenge will be leveraging new technologies yet keeping risks low enough to stay off HHS’s website for non-compliance – for sure a daunting challenge for the smaller service providers.  There will no doubt be a delicate balance between reducing costs and providing good service.  More importantly, as a new generation of connected patients comes of age, market forces will dictate that PHI be mobile and easily received.  Here are a few things to consider:

1)      Assess your current exposure.  Before you implement any new technologies, what new risks are you assuming by rolling out new technologies?  Map those new risks to your current risk mitigation plan and if you don’t have a plan, implement one!
2)      Transfer risk to your partners.  HITECH obligates a legal chain of accountability from one service provider to another.  Make sure you clearly understand the responsibilities of your partners, providers, and subcontractors if there is a breach.  Don’t get caught on this!
3)      Education.  Real security happens at the human level.  Educate your staff as well as patients to the implications of improperly using, transmitting, or handling PHI.  Humans are the weakest link in any security strategy but it is far better to have educated humans than those that “didn’t know” taking home a thumb drive with PHI on it was really bad!

With some forethought and planning, the future for small service providers is equally as bright as the large ones.  Wapack Labs knows the risks associated with technology and how those risks can be mitigated. We offer full security solutions for the small to medium service providers including HIPAA gap analysis, security architecture, digital forensics, and advance threat protection.   If you have any questions or comments, email me directly – rgamache@wapacklabs.com.

Rick Gamache is Partner and Managing Director of Wapack Labs.  Rick is a CISSP with over 25 years in the security sector and has served as an expert security auditor to the private and public sectors.