Cybersecurity for Case Managers: Background and Impact

 

Cybersecurity is the responsibility of the Information Technology (IT) team, right? Nurses don’t have to worry about that, right?  WRONG!  While IT may be responsible for managing the overall cybersecurity of an organization, each of us has an individual responsibility to be aware of cybersecurity, how it impacts health care and the privacy of our patients, and what procedures we need to follow to assure safe security practices. This article is the first in a series of three that will discuss these topics and how they relate to our individual role as case managers.

 

Working in the medical technology field, I’ve always been very aware of cybersecurity issues, but I became more aware of how relevant it was to the practice of nursing when I attended a webinar entitled "Cybersecurity: Implications for Nursing Professionals" presented by the National Cybersecurity Institute in conjunction with the National Association of Hispanic Nurses. The webinar discussed the growing impact of cybersecurity issues in health care, as well as its financial implications and its impact on patient care. I would like to share some of the information from the webinar, as well as other facts I found while researching cybersecurity.

 

The Healthcare and Public Health Cybersecurity Primer: Cybersecurity 101 describes cybersecurity as the "protection of the cyberspace and related technologies, from records and electronic data to the physical structure of security systems." Cyberspace is the interdependent network of IT infrastructures (the Internet, telecommunication networks, computer systems, and embedded processors and controllers). In simpler terms, cybersecurity is the defensive measures and activities taken to protect a computer or computer system against unauthorized access or attack. It includes infrastructure, data, information systems, databases, hardware components, and software.

While we, as nurses, may not have an in-depth understanding of the intricacies of cybersecurity, it is important for us to understand the evolving role of cybersecurity in health care today and how that affects our role. Threats are becoming more sophisticated while organizations struggle to prioritize and implement more effective security requirements. Unfortunately, the threats usually evolve more quickly than the security measures, so organizations are striving to assure that their measures are dynamic, up-to-date, and include commonly accepted practices.

Over the last 20 years, as computer systems and the internet have become an ever-increasing integrated part of health care, the need for protecting patient information has become much more complex. It used to be rather easy, since records and reports were in hard copies and contained in the patient’s chart, which was in a protected area in the physician’s office, hospital, or health care facility, and only accessible by a limited number of people. Things are very different now. The number of people who have access to patient information is much larger. The information can be sent to multiple people by email, fax, or text and it can be accessed by multiple people from computers, laptops, mobile devices, and smartphones. It can also be stored in numerous places, such as laptops, mobile devices, network drives, CDs, DVDs, thumb drives, and smartphones. While we do have security procedures to try to limit access to only those who have a need to know, ensuring the privacy of patient information is a huge challenge.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to: protect health insurance coverage for workers and their families when they change or lose their jobs (Portability); protect health data integrity, confidentiality, and availability (Accountability); combat waste, fraud, and abuse; promote the use of medical savings accounts; improve access to long-term care services and coverage; and simplify the administration of health insurance.  

• While HIPAA addressed confidentiality and availability, it wasn’t until  the passage of the HIPAA Privacy Rule in 2003 that national standards were established to protect individuals’ medical records and private personal health information (PHI); set limits and conditions on the uses and disclosures that may be made without patient authorization; and give patients specific rights over their health information.
  

• This was followed in 2005 with the Security Rule that established national standards to protect electronic PHI and required administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI.

• In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act, commonly referred to as the Economic Stimulus Package, to promote the adoption and meaningful use of health information technology, especially for electronic health record (EHR) systems. It also established penalties and fines for violating privacy and security rules, resulting in security breaches. (Finally, 13 years after the passage of HIPAA, there were now fines and penalties that would help ensure adherence and enforcement.)

• The Omnibus HIPAA Rule, enacted in 2013, made modifications to the 15 year old HIPAA regulations to better protect patient privacy and health information in the expanding digital world. The Rule: enhanced patients’ privacy rights and PHI protections; strengthened the ability to enforce civil penalties; clearly defined 3rd party business associates and made them equally liable; redefined data breach more objectively as an "unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information", instead of the previous, more subjective definition which defined it as a "risk of harm to the individual"; and provided a safe harbor provision that encouraged organizations to encrypt data, which is then considered "secured" PHI and exempt from notification obligations.

Now that we have a better understanding of what cybersecurity is and how the HIPAA regulations are used to protect the privacy, security, and confidentiality of PHI, let’s take a look at some statistics on data breaches (the unauthorized disclosure of information) that show the widespread effect and significance that these cyberattacks have on health care.  

• According to a report by Meritalk, 19% of global health care organizations experienced a security breach in 2013. The top causes were:

            o Introduction of malware or virus (58%)
            o Outsider unauthorized access/theft of data (42%)
            o Loss/theft of equipment (38%)
            o User error (35%)

 

• The Identity Theft Resource Center (ITRC) report noted that the number of data breaches in all U.S. industries (banking, business, education, government, and health care) from 2005-2014 reached 5,029, involving more than 675 million estimated records. The number of breaches in 2014 hit a record high of 783, exposing more than 85,611,528 records. Criminal attacks have risen 100% since the first study was released in 2010.

• In the past two years, 90% of health care organizations have had at least one data breach.

• According to Health and Human Services (HHS), 1 in 10 Americans has been affected by a large health data breach.
  

• Health care breaches topped the ITRC 2014 Breach List with 42.5%, an increase from 20% in 2010. Other industries ranged from 5.5% to 33%. One of the main reasons for such a large number of breaches in health care was that PHI is worth roughly 50 times more than credit card or Social Security numbers, since it can be used for Medicare fraud – the most profitable type of identity theft.  In fact, the co-author of the 2014 Data Breach Investigation Report stated that some employees found jobs in health care for the sole purpose of stealing patient information to commit identify theft or tax fraud.

• A report on the Top Healthcare Breaches in 2014-2015 found that 15 major breaches affected 101,093,477 individuals, with five of these breaches involving more than 1 million individuals each. The breaches were caused by: hacking (10), loss/theft of laptop or servers (4), and unauthorized access to paper files (1).  

• A Data Breach Investigations Report conducted across 20 industries in 2013 analyzed more than 1,300 confirmed data breaches and found that the Top 3 Security Threats to the Healthcare Industry were:

            o Theft and loss of laptops and other equipment accounted for 46% of security incidents. Health care was the only industry that had theft and loss as a major cause of security incidents (next closest was public administration at 19%). The high percentage was attributed to the fact that encryption was not being done, therefore a notification report had to be done. If lost or stolen devices had been encrypted, they would not have had to report the incident as a breach, because the data would have been considered "secure".

            o Insider misuse by employees or trusted third parties who intentionally or unintentionally damaged a system or stole data accounted for 15% of security issues. Based on the Ponemon Benchmark Study on Patient Privacy and Data Security, 75% of organization considered employee negligence their biggest security risk, although the study also noted that organizations were lax, because they had not conducted audits to identify who was accessing patient data.

            o Unintentional actions that directly compromised patient information in 12% of the security incidents. Examples included: inserting one patient's information into another patient's envelope; provider websites that allow patients' information to be available to the public; and decommissioning computers or medical devices without properly removing patient information ("rendering PHI unusable, unreadable, or indecipherable").

• Data breaches cost an organization an average of $233/record (cost to investigate, notify, and remediate) and result in 3.2% less revenue the following year due to the loss of business.

• The total cost of breaches in 2014 was estimated to be $5.4 to $5.6 million.

• Breaches also have a significant impact on patients, making them mistrust the system and withhold information: 61% resulted in exposure of personal information and embarrassment; 56% resulted in financial identity theft; and 45% resulted in medical identity theft.

Let’s take a look at some of the factors that make health care data breaches so common. Many health care organizations have old, complex legacy systems, which are harder to patch and easier to exploit, and most maintenance on older systems is done manually, which increases the risk of missing something or making a mistake, opening the system to hackers. Health care organizations also have a large number of different systems that contain huge amounts of data, which makes it very challenging to monitor all the diverse systems for potential vulnerabilities. In addition, many organizations do not have the dedicated resources, time, and money to develop and maintain a realistic, tactical incident response plan and to be able to rapidly mobilize it to isolate an attack, protect critical files, and reduce the amount of information leaving the system.

When looking at the reasons for cyberattacks and the overwhelming statistics related to breaches, one might think we are facing a losing battle to curtail the loss of data. However, there are some encouraging trends that are showing improvement in cybersecurity.  

• A detailed review of HHS data showing breaches of electronic PHI found that: the number of security incidents dropped significantly between 2010 and 2011 and has been slowing going down since then; there were less large breaches in 2013; and the loss of electronic PHI from portable devices has declined steadily since 2010.

             o The theft or loss of data from portable devices should continue to decline significantly due to the safe harbor provision in the Breach Notification Rule that states that "Covered entities and business associates must only provide the required notifications, if the breach involved unsecured protected health information." "Unsecured" means the PHI has not been "rendered unusable, unreadable, or indecipherable" (encrypted). Therefore, encrypting devices and data, which is a relatively simple process, should significantly reduce the number of unauthorized breaches.

• A study on patient privacy and data security for 2013 showed that health care organizations have made some progress in detecting and controlling data breaches:  

            o The number of breaches decreased slightly (those reporting more than 5 incidents was lower in 2013 (38%) than in 2012 (45%).
            o The average economic impact of data breaches was $2.0 million, a decrease of almost $400,000 (17%) from 2012.
            o The size of the breaches also decreased (average records per breach in 2013 were 2,150 in 2013 compared to 3,000 records in 2012).  

So....given these widespread incidents of cyberattacks, the cost of breaches, the business disruption, and the effect on patients, what can we do to stop them? While there is no way to totally stop cyberattacks, the risk of cyberattacks can be significantly reduced if organizations: are diligent about continually reassessing their HIPAA compliant infrastructure; implement HIPAA compliant guidelines and best practices; and continually educate (and monitor) employees regarding their role in cybersecurity.  

Health care organizations have a challenging uphill battle to modernize systems and reduce risks, but it can be done. We have had nine years of data breach research, which helped increase our knowledge of the causes, how to identify potential problems, and what needs to be done to reduce or avert risks. Organizations need to assure that IT teams are provided with dedicated staff that has the resources, time, and money to develop, maintain, monitor, and enforce stringent cybersecurity policies and practices. Employee education is also a critical aspect of reducing risk. Continuous education of all system users needs to be done, so they are aware of their responsibilities in maintaining cybersecurity.
Now that we have looked at the causes and impact of cybersecurity, next month’s article will focus on specific, practical things we, as nurses, can do to help improve cybersecurity and assure we are not the individual responsible for a data breach.