$87M in IT enhancements to ‘unlock’ data, improve health center quality

HHS will provide $87 million in funding to support information technology (IT) enhancements in 1,310 health centers throughout the United States and its territories. The funding is intended to support the health centers’ transition to value-based models of care, promote information-sharing to improve quality of care, allow the centers to use information to support better decisions, and increase their engagement in transforming delivery systems. HHS Secretary Sylvia Burwell stated that the funding “will help unlock health care data and put it to work.”

Health Resources and Services Administration (HRSA) health centers provide comprehensive preventive and primary health care to patients regardless of their ability to pay, adjusting fees based on that ability. Section 10503 of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) established an $11 billion, five-year Community Health Center (CHC) Fund to strengthen the centers, which was extended by the Medicare Access and CHIP Reauthorization Act (MACRA) (P.L. 114-10) of 2015. Funding for the IT enhancements comes from the CHC Fund.

Health centers that use the funding to purchase or upgrade electronic health record (EHR) systems must ensure that the technology is certified by the Office of the National Coordinator for Health Information Technology (ONC).

Lawmakers, agencies raise specter of ransomware threats to cybersecurity

Ransomware, in which an attacker gains access to a secured electronic system, encrypts data, and demands payment in order to unencrypt the data, looms large as a cybersecurity threat for public and private sector organizations, especially health care providers. Government agencies and lawmakers, alike, have begun to focus on various aspects of ransomware and how organizations can address the growing cybersecurity threat. In a “Dear Colleague” letter providing additional ransomware reference material from various federal administrative and law enforcement agencies, HHS noted three key points for information officers involved in cybersecurity to consider on the subject: (1) unique disruptions; (2) prevention measures; (3) and law enforcement contacts.

Prevention and payment

In a technical guidance document titled “How to Protect Your Networks from Ransomware,” included in the “Dear Colleague” letter, prevention is considered the most effective defense. The guidance stressed that organizations needed to implement an awareness and training program, along with strong spam filters and anti-virus and anti-malware programs to scan emails. In addition, organizations should back up and ensure the security of data.

In instances where the preventive measures fail and a ransomware attack is successful, the guidance noted that organizations should isolate the infected systems as quickly as possible and immediately notify law enforcement. HHS, along with the Departments of Homeland Security and Justice, warned that paying a ransom may actually encourage the criminal enterprise. The Departments stressed that payment did not guarantee an organization would regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom. Some organizations, after paying, were reportedly targeted again by other cyberattacks.

Not a conventional breach

Representatives Ted W. Lieu (D-Calif) and Will Hurd (R-Texas) asked the HHS Office for Civil Rights (OCR) to focus on guidance development for health care providers to use when responding to ransomware attacks under the disclosure and reporting requirements of the Health Information Technology for Economic and Clinical Health Act (HITECH) (P.L. 111-5) and Health Insurance Portability and Accountability Act (HIPAA) (104-191). The lawmakers also sought guidance on understanding and addressing the differences between ransomware and conventional hacking, noting that although ransomware qualified as a conventional breach, it should not be treated the same or subject to a similar risk assessment.

Unlike other cybersecurity threats, ransomware is particularly disruptive of day-to-day business functions. Ransomware generally executes itself as an encrypted lock around an entity’s servers, storage devices, applications, or files. In order to encrypt files, the ransomware disables access to particular functions, such as access to personal health records. The system access, from a technical standpoint, is a conventional data breach under 45 C.F.R. Sec. 164.402.

In a conventional breach of a health care provider, personal health information is viewed or stolen, infringing on the patient’s privacy rights. Ransomware, instead, denies access to health records of system functions and increases patient safety and service risks. The lawmakers highlighted a recent MedStar Health system ransomware breach which forced the health care provider to shut its computer network down and turn away patients.

The lawmakers suggested that patient notification of ransomware breaches only made sense when the attack resulted in either a denial of access to an electronic medical record or loss of functionality to provide medical services. However, rapid and mandatory notification of government agencies should be made, including information sharing, as soon as ransomware attacks are known. The lawmakers concluded by urging the OCR to include clear guidance related to data modification from ransomware attacks.

Criminal attacks cause most breach incidents, report says

For the second year in a row, more health care organizations reported that criminal attacks are the leading cause of data breaches than any other threat, with 50 percent of covered entities (CEs) attributing data breaches that occurred in their organizations within the last two years to criminal attacks, compared to 41 percent claiming that they were caused by a “third-party snafu.” According to a Ponemon Institute report sponsored by ID Experts, 89 percent of CEs had a data breach in the past two years, and 45 percent experienced more than five breaches in the same time period. Despite the type of attacks, however, employee negligence was a larger concern among health care organizations and their business associates (BAs) than cyberattackers, themselves. The results indicated that organizations may need to reallocate their resources but confirmed that security incidents are now part of the normal course of business.

Breach causes

In addition to reporting that breaches resulted from criminal actions and third-party snafus, CEs reported that only 36 percent of breaches resulted from unintentional employee actions and 8 percent resulted from intentional, but non-malicious, employee actions. Stolen computing devices (39 percent), technical systems glitches (29 percent), and malicious insiders (13 percent) also played a role.

Despite these figures, 69 percent of CEs reported that employee negligence was among their three top concerns related to the security of sensitive and confidential information, compared to only 45 percent who worried about cyberattackers. In an interview with Wolters Kluwer, however, Mac McMillan, FHIMSS, CISM, CEO of CynergisTek, Inc., stated, “I believe the stats are clear hacking accounted for well over 90 percent of the records lost last year with all other categories combined contributed to less than 10 percent of that number . . . It’s the impact of the incident that matters and clearly hacking is having a larger negative impact.”

Rick Kam, President and Co-founder of ID Experts, told Wolters Kluwer, “In health care, there are many ‘data touches’ including multiple employees who can be careless and third parties handling patient data,” including third-party snafus, stolen computing devices, and unintentional employee actions. Unlike CEs, BAs cited unintentional employee actions as the biggest driver of breaches, at 55 percent, with third-party snafus accounting for 52 percent and criminal attacks accounting for 41 percent. Interestingly, only 53 percent of BAs reported employee negligence as a top concern.

Types of attacks

In the realm of cyberattacks, CEs and BAs were both most concerned about denial of service (DoS) attacks, in which attackers make a machine or network resource unavailable to its intended users, for example, by temporarily suspending services of a host connected to the internet. This concern was followed by the threat of ransomware, in which attackers infect systems with malware, which is hostile or intrusive software, and effectively hold system access hostage until the victim agrees to pay a ransom; and malware, in general. Although McMillan acknowledged these threats, he expressed concern that “many health care executives do not fully appreciate the cyber threat they face today.”

Among CEs, medical files far and away contained the data most commonly lost, accessed without authorization, or stolen, with 64 percent of CEs mentioning them, compared to 45 percent reporting billing and insurance records. Among BAs, however, 56 percent reported that billing and insurance records were the data affected, followed by 45 percent reporting payment details.

Patient impact

Covered entities recognized the impact that data breaches can have on patients. Seventy-nine percent stated there is a risk that personal health facts will be disclosed, 66 percent believed patients are subject to an increased risk of medical identity theft, and 61 percent believed they are subject to an increased risk of financial identity theft. Thirty-eight percent of CEs were aware of medical identity theft affecting customers within the past two years, although 48 percent of those instances were attributed to unintentional employee action, compared to 9 percent attributed to criminal attacks. Perhaps those attribution percentages are the reason that only 56 percent of CEs believed that they should provide data breach victims with credit monitoring or medical identity theft protection. McMillan noted a “glaring disconnect” between the figures, but suggested that it may result because “very few ever use the credit protection provided so it becomes a huge expense for nothing.” Kam opined, “organizations are becoming more knowledgeable about what consumer remedies to offer based on the risk presented by the types of information lost or stolen in a data breach.”

Budgets

Health care CEs and BAs believe they are more vulnerable to data breaches than other industries. Fifty-six percent of CEs that have instituted an incident response plan say that more funding and resources are necessary to make the plans effective. However, 52 percent of CEs reported that their security budgets remained the same over the past two years. Only 30 percent reported budget increases, while 10 percent reported decreases. The reported suggested that breaches could be costing the health care industry $6.2 billion.

Report

The report is Ponemon’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data. It is the second report to include BAs among its surveyed entities, reflecting responses from 91 CEs and 84 BAs. (For the 2015 report, see This time it’s crime: the lawlessness of health care data breaches, Health Law Daily, May 8, 2015). Fifty percent of responding CEs were private health care providers; thirty-two percent of BAs were part of the pharmaceutical industry, compared to only 24 percent in the information technology (IT) services/cloud services industries.

What happens on social media doesn’t stay on social media, and other lessons learned at the #HCCAci

Social media was the issue of the day at the Health Care Compliance Association’s Compliance Institute (CI), which was held in Law Vegas, Nevada this year. Throughout the four-day event, health care compliance professionals tweeted, pinned, and “Instagram-ed” their way through the lectures, discussions, and networking events, while at the same time, ironically, learning a great deal about the growing popularity of social media and the dangers it may pose when it comes to your compliance program.

Even before the CI began, attendees were invited to follow the CI Pinterest page and begin to tweet and post pictures to Instagram using the hashtag #HCCAci. During the conference, social media savvy professionals were invited to network in a “Tweet Up” event; even after the conference was essentially over, participants let loose and posted pictures of their adventures in the City of Lights. As such, the role that social media plays in our current professional and personal realms was plain to see simply through the role it played at the CI this year alone.

At the general sessions that kicked off the conference both Dan Levinson, Inspector General (IG), and Leslie Caldwell, Assistant Attorney General of the Criminal Division of the Department of Justice (DOJ), noted that areas of health information security and privacy were among the most important areas to watch. In many of these arenas, according to Caldwell, the government is often behind the learning curve. As such, it would behoove compliance officers to look beyond the guidance put out by these agencies and into the future, with an eye to what new technologies are available and how they are being used.

Donald A. Sinko, Chief Integrity Officer at the Cleveland Clinic and a presenter at this year’s CI, once said that, “One of the greatest risks of social media is ignoring social media.” Presenters at breakout sessions at the CI took heed of that sentiment and focused many of their lectures and discussions on the role that social media and social media-related issues are playing in the compliance world. Most notably, Frank Ruelas, in a presentation “#HIPAA: How Social Media Impacts HIPAA Compliance,” drew lines between how many people use social media, for what purposes, and how those practices can lead to HIPAA breaches in the health care provider environment.

Ruelas encouraged audience members to volunteer their own stories about how social media affected their compliance officers, noting that it makes sense to think about social media–which is often driven by the youth population–and HIPAA together because HIPAA is a teenager itself. Ruelas concluded by urging compliance officers to “codify, illustrate, and judiciously enforce expectations” when it comes to social media use in the workplace in order to get closer to an effective compliance program. In a related presentation on emerging challenges in mHealth, David Holtzman and Web Hull, discussed how mobile health apps and wearables are playing a larger, and in some cases more concerning, role when it comes to health data privacy and security. As Hull put it, the biggest challenge concerning mHealth “is that what we are dealing with now is just the beginning.”

The second day of general sessions brought about a seeming round up of the issues discussed in the previous day’s general and breakout lectures from a somewhat surprising source. Cam Marston, a researcher of generational trends in the workplace and marketplace, spoke to the CI crowd about how individuals in different generations (baby boomers, “Gen Xers,” millennials, etc.) differ in terms of their backgrounds, the ways they were raised, how they act in the marketplace, and, most importantly, how their work attitudes and styles differ. The biggest gap between the generations with regard to work environment and marketplace is perhaps the issues involved with the advance of technology, including the growing popularity of the reliance on social media in our personal and professional lives.

In Ruelas’ social media discussion, one compliance officer in the audience mentioned that one of her employees was found to be taking pictures, that were perhaps in violation of HIPAA, and posting them on Snapchat, an image messaging app and social media outlet. She explained that in order to truly understand the problem she had asked younger people in her family to help explain Snapchat to her and had obtained the app for herself and started using it in an effort to understand how it functions. In this way, we can see how it possible to bridge the divide caused by social media use and embrace its existence in a health care setting. Ruelas explained to his audience, social media “runs through the veins” of its users and, therefore, assuming that they will not use it at work without having policies that explicitly prohibit or explain proper use of it is not a good avenue to go down.

As the role of social media takes up more of our lives, it takes more of our work as well. As such, it is promising to see how compliance professionals are embracing it as both a tool for their own networking and knowledge spreading and recognizing it as a potential outlet for compliance issues in the workplace. Although what happens in Vegas may stay in Vegas, what happens on social media is for the world to see, and, as such, compliance professionals should be on notice of that.