Lee McArthur
Account Manager
CCB Tech Group
lmcarthur@ccbtg.com
If there was no HIPAA requirement, would we still care about data security?
The natural response to this question would be, “Of course! Of course!” It is helpful, then, to agree with the answer and then internalize this sentiment as a medical practice seeks both to use the information to provide quality patient care and protect that data from those who would seek to do harm to the patient.
The potential to “harm” patients has taken on a very different meaning in the last few years than it had previously. “In the old days” that harm would have taken the shape of destroyed or corrupted patient data because the motive for viruses was popularity, a kind of digital graffiti. Now, the drivers are economic and the players are organized and sophisticated. The damage done in lost financial reputation by stealing a patient’s “identity” has far-reaching and devastating consequences.
The driver for the change in risk is our increasing dependence and fascination with all things internet-related. The loss of internet connectivity just a few years ago would have been a slight inconvenience at best, but now it can literally stop the wheels of patient care. The internet has offered a lot in terms of productivity and easy access to a world of information, but it also threatens to take a lot if we are not realistic in our assessment of the potential danger.
A question worth asking is, “Who is the bad guy?” I’ve had personal interaction with “bad guys” in other industries. Whether it was the health inspector who came around periodically to the fast food restaurant where I worked in as a teenager and always seemed to find a way to shave points off our score for a food crumb or misplaced mop bucket or to the IRS agent (as a result of an audit a few years ago) making the most ridiculous claims and ludicrous demands; it is easy to assign the OCR* auditor into the same category.
While approximately 20 percent of the HIPAA regulations do seem laborious and over the top on documentation, it’s important to remember that nearly all of the breaches and subsequent fines to date have occurred because of completely botched procedures within the practice (and maybe a little bad luck). Thankfully, the OCR really isn’t staffed or in the marketplace in the same way as the other two inspectors referenced above. This helps the medical practice keep its clarity on who the bad guy really is—and it’s not the federal auditor.
Of the remaining 80 percent of the regulations, a large majority of that is achieved purely by common sense application of patient care, without even opening the HIPAA guide book. The patient has already chosen to trust you for your wellness training and professional advice, which means, by default, they are entrusting their medical history to you as well.
Of course, patients have always trusted you with their records, it’s the irony of electronic medical records and the age of the Internet that information can be much more easily processed and stored and yet it became harder and required more investment to keep that data safe. Much like credit card compliance used to be easy and guaranteed when transmissions were sent over analog telephone lines, things have gotten faster and better, but they have also become more complicated to maintain.
So the answer to the question, “Who is the bad guy?” Who is this digital Bonnie and Clyde seeking to cut a path across the landscape leaving a wake of calamity and loss? It’s the hacker community and less than honest nation states. The driver is economic and that motive is not going away any time soon. As long as the lure of easy financial gain is present, there will be breaches. Just like bank vault security has had to change over time, so will our security response to the threats posed to patient data. The software, tools, and “locks” we use to secure digital healthcare will become more sophisticated and capable—but so will the thieves.
* The Office for Civil Rights (OCR) is the agency within US Department of Health and Human Services that investigates complaints about failures to protect the privacy of health information.