A key beneficiary of the transformative impact of IT, healthcare is undergoing massive change. Like many other industries, this sector is renovating to set the foundations for information-based business, in which digital data serves as the source of new productivity and value. While Big Data solutions are revolutionizing clinical and pure research, EHR systems are streamlining patient care and management, and business intelligence/analytics software creating new data-driven efficiencies in institutional operations. From a patient perspective, social/collaborative technologies are transforming the way people — and their data — interact with clinicians, and as mobility and telehealth services gain traction, many people and practitioners are taking advantage of the new levels of convenience these technologies provide for timely and comprehensive information exchange. A sense of this shift is apparent below in the figure from PwC’s Health Research Institute research, which outlines mobile communications trends in healthcare.
But there’s a dark side to the information explosion in healthcare: data breeches are on the rise. According to a new report from the US Department of Health and Human Services Office for Civil Rights, health data breaches nearly doubled between 2011 and 2012 as confidential health information on more than 15 million people was put at risk. Over that period, there were approximately 458 cases affecting 500 people or more reported to federal authorities, and about 47,000 cases affecting smaller groups in which personal information was inappropriately handled. These figures represent a significant spike in terms of both the number of people affected and the actual number of breaches — the majority of these arising from the theft of an electronic or portable device, of paper health records, or the unauthorized access or disclosure of data and the loss of health records.[1]
The growing risk associated with digitization of healthcare information is something that government and regulators are taking with increased seriousness. As Peter Ashkenaz, director of content and media in the Office of the National Coordinator for Health Information Technology noted this month, “What we want to make sure is that patients know how their information is being used, how it’s being exchanged, and they need to be assured that all their information is going to continue to be private.”
To achieve this, government has enacted a series of rules around protection of personal health information. Back in 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA), legislation that defined policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information while outlining offenses and setting civil and criminal penalties for violations. Responding to further expansion of the digital health landscape, the government expanded the scope of HIPPA in 2009 with the Health Information Technology for Economic and Clinical Health (HITECH Act), which extended compliance requirements to “business associates” of the healthcare entities covered under HIPPA (who had been responsible for many breaches), including vendors of personal health records, imposed new notification requirements in the event of a breech, and created stricter requirements for disclosure of public health information. And in 2013, federal authorities updated this legislation with a final omnibus rule that offered the public even more protection over personal health information — providing individuals with greater control over the sharing of their healthcare information, extending the list of those required to comply, increasing penalties for noncompliance (to a maximum penalty of $1.5 million per violation) and strengthening the requirement for notification of breaches to Health Information Technology for Economic and Clinical Health (HITECH) by clarifying when breaches of unsecured health information must be reported to the Department of Health and Human Services (HHS).
Designed to ensure greater protection for the privacy of healthcare information at a time when information systems are transferring data faster and farther across more distributed networks than ever before, HIPPA and associated regulation is also increasing the burden on healthcare providers not only to ensure health data security and privacy, but to demonstrate their compliance with regulatory requirements as well. In this context, digital technology plays a dual role, serving at once to create the necessity for more care, and as the invention. While the power and capacity of IT systems to store, secure and manage data that providers have at their disposal today is unprecedented, specialized systems that allow focus on unique healthcare industry needs are also available which streamline data collection and management for compliance. A good example of this can be found in Dell Governance, Risk and Compliance software from the Quest portfolio, which together provide a lifecycle management approach to compliance requirements. According to Tim Sedlack, Dell Software product manager in Governance, Risk and Compliance, the ‘cycle’ begins for an organization with assessment to establish an information baseline and user access inventory, a remediation phase, in which access and security events are monitored and normalized, and a manage phase in which rights and permissions are controlled. For each of these lifecycle stages, Dell has developed a corresponding GRC tool:
Enterprise Reporter — a scalable solution for auditing, analysing and reporting on the configuration of Microsoft Active Directory, Windows Server, SQL Server and NAS devices. The goal is to provide visibility into these critical assets to build an inventory of user access that can serve as a benchmark for audit, for change migration projects, and for programs to tighten security access. This assessment can also help organizations understand where policies need update.
ChangeAuditor — this solution audits, alerts and reports on all changes and deletions made to Active Directory, Exchange, SharePoint, VMware, EMC, NetApp, SQL Server, Windows file servers, including LDAP queries against Active Directory, in real time without invoking native auditing. ChangeAuditor contains built in reports for a number of regulations, such as SOX, PCI DSS, HIPAA, FISMA, SAS 70, as well as ‘change management’ software that provides before and after analysis to improve compliance performance. According to Sedlack, the tool works at the network layer, to monitor and categorize the “severity” of risk events. And to enable proactive programming, it will allow organizations to specify what users are allowed to do — delivering alerts for when they do something they are not allowed to do, in order to protect against changes that might compromise compliance.
InTrust — software that securely collects, stores, reports and alerts on event log data from Windows, Unix and Linux systems. With what Sedlack called, “one click forensics,” the tool enables organizations to monitor user activity, and audits user access to ePHI from logon to logoff. InTrust detects suspicious or inappropriate activity in real time, generating automated email or mobile device alerts for access-related events. Sedlack noted that the solution also has a correlation engine that provides insights which extend beyond that enabled through control of individuals. For example, while single user login monitoring might not identify a suspicious event, the engine would raise alarm bells if a user logged on simultaneously from New York and China. According to Dell, InTrust reduces event log management complexity and through normalization and compression also saves on storage administration costs, with an ultimate goal of improving information assurance to mitigate risk and enhance compliance reporting.
According to Sedlack, functions contained in these Dell products map specifically to HIPPA certification questions, and are capable of providing healthcare institutions and businesses with the information they need to respond to audit inquiries from regulators. This alignment between HIPPA requirements and Dell solutions was explored lately by Steve Marco, president at Modern Compliance Solutions, and Joe Grettenberger, HIPPA consultant at Modern Compliance, an IT consulting and risk management firm that is focused on the healthcare industry. In a recent project, Modern Compliance considered four HIPPA regulatory mandates and worked with Dell to see where the company’s products were able to provide support. According to Marco, Dell solutions empowered users to comply on 12 of 18 HIPPA standards. With long term experience in the field, Marco and Grettenberger offered some vivid examples of risk gone wrong — the South Shore Hospital breech, which compromised the personal data of 800,000 consumers and cost the hospital $75,000, for example, or the Blue Cross Blue Shield of Tennessee loss of 57 encrypted hard drives that resulted in a $1.5 million fine — but also practical advice on HIPPA enforcement. Most compliance investigations involve security risk analysis, they claimed, and a “point in time snapshot assessment of risk and compliance,” and a “second picture showing remediation progress” is often helpful in discussions with the Office of Civil Rights enforcement agency as “compliance is the act proving the organization’s intent to meet the requirements of the HIPAA Security Rule.” In this work, Marco explained that “curated evidence” like that provided by the Dell tool set is invaluable.
Currently, the Dell GRC solutions are optimized for HIPPA compliance, and though not localized for compliance with regulations in other countries, Sedlack added that the toolsets still allow collection, normalization and ultimately, reporting on data, which would support regulatory requirements in other countries.
[1] PWC. HRI regulatory center weekly newsletter, Jun 16, 2014. http://www.pwc.com/us/en/health-industries/health-research-institute/weekly-regulatory-legislative-news/week-of-06-16-2014.jhtml