August 5, 2019
It’s a perennial joke based on an uncomfortable truth: hospital gowns often leave exposed things we’d prefer to keep private. So, healthcare consumers can be excused for approaching the new era of digitized health records and electronic communications with health plans with some trepidation.
Their concern is well-founded.
Protected Health Information (PHI) and Personally identifiable information (PII) are prime targets for hackers. Business risk intelligence firm Flashpoint says that “healthcare records have historically been a key economic driver of the Dark Web economy for many years due to the fact that they are such a rich source of very specific and in some cases immutable personal information that can be used to initiate many types of fraud – from insurance to identity and tax fraud.”
Nearly every year, since the first hacking of a healthcare organization, has been dubbed “the year of the healthcare breach” and for good reason. The trend line is skyward and alarming, as shown by data tracked by HIPAA Journal:
The Journal reports that between 2009 and 2018, breaches have resulted in the theft/exposure of 189,945,874 healthcare records and new healthcare data breaches are being reported at a rate of more than one per day. This information is highly prized on the Dark Web, selling for ten times the price of stolen credit card numbers.
Unfortunately, when it comes to long-term consequences, the loss of PHI is uniquely damaging to the consumer. Trend Micro Global Threat Communications Manager Christopher Budd notes,
“Healthcare data represents the ‘holy grail’ in terms of data theft. When credit card data is stolen, the criminals can use that only until the credit or debit cards are canceled. But how do you ‘cancel’ your social security number? You can’t.”
Protected health information can contain a wealth of sensitive information, such as an individual’s full social security number, their date of birth and their parents’ names and dates of birth—elements frequently requested as answers to security questions or that can be used to apply for identity documents like birth certificates. No wonder consumers are feeling a draft.
At the same time, health plans are seeking to expand the universe of information they collect on members to deliver a more personalized experience and are using more channels and devices to collect and transmit that data.
This intersection of trends is what Forrester Research calls the privacy/personalization paradox, and it has big implications for health plans.
The drive for more personalization in healthcare services and communications is coming as much from the consumer as it is from providers and payers. Forrester Research predicts that “Connected health experiences are becoming table stakes for healthcare providers, more insurers, and pharmaceutical firms. Customers are tracking their personal health data and are more willing to share it with companies that can turn this data into insights and rewards.”
But as closely as members are monitoring their health plans for evidence of personalization, they also have their eyes open for PHI security and privacy failings. Cognizant’s Voice of the Digital Member Survey found that:
“while 70% of all respondents said online data privacy and security are very important, just under 60% agreed they could trust their health insurer to protect the data they supply online. A sizable 40% said they did not agree with that statement.”
Members are worried and watching. Accenture’s 2017 Consumer Survey on Cybersecurity and Digital Trust found that consumers are aware of the source of breaches and are taking action when they feel their data isn’t being handled securely:
With the relationship between health plan data breaches and consumers switching plans being 1:1, senior leadership is taking notice. Harvard Business Review Analytic Services surveyed 331 organizations and conducted a series of one-on-one interviews with executives and thought leaders around the world and in a wide variety of industries about their data security and privacy perspectives:
Despite their awareness of this healthcare compliance issue, IT leaders are fighting for budget dollars to counter the threat. Forrester Research finds that “As healthcare organizations face pressure to cut costs while improving health outcomes, it will be difficult to divert limited funds to initiatives like information security...” As a result, the healthcare industry as a whole is falling behind.
The prevalence of PHI data breaches and several high-profile breaches at marquee health plans have prompted steps to address the threat from legislatures, regulatory bodies, and industry associations.
In the U.S., HIPAA is the foundational legislation on patient information privacy. In 2003, the HIPAA Privacy Rule and Security Rule established, for the first time, a set of national standards for the protection of certain health information. Through an update in 2006, the Enforcement Rule allowed the Office for Civil Rights (OCR) to take action against covered entities discovered to violate HIPAA Rules.
In 2018, the OCR received $28,683,400 in financial penalties.
Updates to the HIPAA legislation are predictably slow in coming due to the machinations of the U.S. legislative process. But the game has been changed this year with the introduction of the General Data Protection Regulation (GDPR) which is standardizing data privacy laws across the EU.
Cognizant says, “GDPR is HIPAA on steroids. The U.S. healthcare industry is well acquainted with privacy and security regulations, mainly in the form of HIPAA. Yet the GDPR, designed to protect the data and privacy of individual European Union citizens, makes HIPAA look tame in comparison.”
For U.S. companies operating internationally, or even collecting data on EU citizens, whether they are customers or employees, the more stringent requirements of the GDPR will prompt heightened attention to privacy and security. As Cognizant states, “Effective May 25 (2019), the European Union’s General Data Protection Regulation (GDPR) promises to levy business-crushing fines on companies that fail to protect consumers’ personal data.”
“The GDPR is setting a global standard, and U.S. companies will need to comply,” says Marc Rotenberg, president of the Electronic Privacy Information Center, a Washington, D.C., advocacy group. “Big U.S. firms are already required to comply with the GDPR for European markets, so it makes sense to extend a similar approach to the U.S.”
Companies evaluating healthcare compliance issues in light of the GDPR will want to make a note of these key differences:
Complying with the GDPR will require U.S. healthcare companies to shift how they think about the use and sharing of PHI. As Cognizant notes, “HIPAA puts the onus on the patient to discover who has accessed health records and to inform organizations about who may not see health data.
In comparison, GDPR requires more explicit and active consent, and individuals can ask for in-depth descriptions of how their data is being processed and receive the data in an electronic copy that they may then transfer to another party, among other rights.”
Whereas HIPAA was “designed to prevent unauthorized data access within a healthcare ecosystem,” according to Cognizant, the GDPR emphasizes the differences between privacy and security. Forrester Research explains, “While they are closely related, security and privacy are not interchangeable. Data can be highly secured while violating privacy principles; for example,
you might encrypt data end to end, but your firm processes it for purposes different than the one agreed on with your customers. Security and risk pros must use security technologies and tools to enforce privacy principles and policies while remembering that security is but one aspect of privacy."
The need to respond to these healthcare compliance issues has prompted the healthcare industry to seek common standards. The HITRUST Common Security Framework (CSF) normalizes the security requirements of healthcare organizations including federal legislation (e.g., ARRA and HIPAA), federal agency rules and guidance (e.g., NIST, FTC, and CMS), state legislation (e.g., Nevada, Massachusetts and Texas), and industry frameworks (e.g., PCI and COBIT).
According to the HITRUST Alliance, 80 percent of health plans have adopted the framework in some way, either as a best practices resource, as the basis for their information protection program, or as a requirement for third-party vendors.
Another industry association, The American Institute of Certified Public Accountants (AICPA) has developed a cybersecurity risk management reporting framework to help organizations communicate to stakeholders about the systems, processes, and controls they have in place to detect, prevent and respond to breaches.
Cloud security company, Threat Stack describes AICPA’s Service Organization Control (SOC) audit: “Its goal is to make sure that systems are set-up, so they assure security, availability, processing integrity, confidentiality, and privacy of customer data… SOC 2 applies to technology-based service organizations that store customer data in the cloud,” which for health plans include member communication providers and cloud data management companies.
The ongoing boom in healthcare innovation will continue to challenge health plans to adapt their member privacy and data security efforts as new applications, devices, and types of health data are collected, shared, and employed. Plans are encouraged to begin preparing now for compliant use of new technologies and protection of communication channels, such as:
Voice-Driven Healthcare - Per Forrester Research, Amazon Alexa is now HIPAA-compliant. Amazon has partnered with Atrium Health, Boston Children’s Hospital, Cigna, Express Scripts, Livongo, and Providence St. Joseph Health to release new HIPAA-compliant skills. HIPAA-compliant voice now paves the way for healthcare organizations to deliver personalized experiences to their consumers.
Internet of Medical Things - “Sensors, artificial intelligence, big data analytics, and blockchain are vital technologies for IoMT [Internet of Medical Things] as they provide multiple benefits to patients and facilities alike,” said Varun Babu, senior research analyst at Frost & Sullivan’s TechVision practice. Unfortunately, with new technologies come new threats. For example, telemedicine and virtual care raise patient data security concerns because of their reliance on mobile devices and unsecured communications links.
Lax Authentication – Cyber risk management firm Clearwater found that the three most common vulnerabilities in healthcare cybersecurity are user authentication deficiencies, endpoint leakage, and excessive user permissions — which, combined, account for nearly 37 percent of all critical risk scenarios.