"It's becoming increasingly clear that the age of strictly voluntary compliance with respect to HIPAA has come to an end, and the threat of expensive settlements and corrective action plans with federal and state regulators is becoming an increasing reality," he says in an interview with HealthcareInfoSecurity.com's Howard Anderson [transcript below].
Greene comments on the results of HealthcareInfoSecurity's inaugural Healthcare Information Security Today survey, which confirms that the top information security priority for the coming fiscal year is improving regulatory compliance efforts. Also a top priority, the survey shows, is improving privacy and security education for physicians, staff, executives and board members.
Greene, who helped enforce HIPAA in his former role as an official at the Department of Health and Human Services' Office for Civil Rights, recommends training efforts be "focused on the organization's specific problem areas in addition to overall compliance. So if there have been laptop thefts, for example, or improper disposal of hard copies or electronic media, make sure the training addresses those issues rather than just doing the same generic training from year to year," he recommends.
In the interview about the survey results, Greene also:
- Predicts the 26 percent of organizations that lack a risk assessment will take action as HIPAA enforcement gears up and HIPAA compliance audits begin next year;
- Provides recommendations on how to comply with the HIPAA breach notification rule. The survey shows only half of organizations have a compliance plan in place;
- Describes why he's surprised that the survey shows only 25 percent of organizations have experienced a breach of any size that needed to be reported to federal authorities. "I expect that far more than 25 percent of organizations are experiencing impermissible uses and disclosures of some size, which have the potential to cause reputational or financial harm to individuals," he says. "So either organization's security practices are better than I thought, which is not really suggested by the rest of the survey responses, or organizations may not be looking very hard."
A veteran health law attorney, Greene until recently was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules. In his new role as partner at Davis Wright Tremaine LLP in Washington, he specializes in HIPAA and HITECH Act issues.
IT Budget Issues
HOWARD ANDERSON: This survey confirms that many healthcare organizations still have a long way to go when it comes to information security. For example, only 60 percent of organizations reported that they have a documented information security strategy in place, and nearly 70 percent estimate they devote three percent or less of their IT budgets to information security. Why do you think that information security is not yet a higher priority for many?
ADAM GREENE: I think that information security has been a victim of budget triage. Every organization would like to have robust security but probably feels the need to place their resources elsewhere. This may be due to a lack of enforcement and transparency in the past. Only a few years ago, if you had a security incident it was unlikely to come to the attention of regulators or patients, and it was therefore unlikely to result in enforcement problems or reputational damage. The incentives were not necessarily there to put much of your resources into security. I think this really began to change with state breach notification laws, when organizations suddenly had to start airing their dirty laundry with respect to security incidents. I think this resulted in significant hits to reputations, and I think that led to an increase in security as a priority and I think that's going to increase even more as state and federal enforcement picks up in this area.
Improving Regulatory Compliance Efforts
ANDERSON: The survey finds that improving regulatory compliance efforts was the number one information security priority for healthcare organizations in the coming year. Why do you think that is the case?
GREENE: I think it's a matter of reputation, enforcement and attestation. I think executives are seeing large breaches of data, of patient data, on front pages, and it's suddenly becoming a much stronger incentive for them to allocate resources to information security. Additionally, I think it's becoming increasingly clear that the age of strictly voluntary compliance with respect to HIPAA has come to an end, and the threats of expensive settlements and corrective action plans with federal and state regulators is becoming an increasing reality. Finally, I wouldn't underestimate the impact of the meaningful use program, and the requirement to attest to a risk analysis and risk management program. For many, this is really the first time that they're vouching for their organization's security. So before putting their name on the dotted line, I think they're taking a look and realizing there's work to be done.
Lack of Risk Assessments
ANDERSON: Speaking of risk assessments, the survey shows that about a quarter of organizations have yet to conduct one, even though such an assessment has been required under HIPAA for a number of years. Why are so many still lagging and what advice would you offer about how to get an assessment completed quickly and effectively? Then, how often should it be updated?
GREENE: I think that the lack of an enterprise-wide risk assessment, despite over five years of being required, is due to similar causes as the lack of overall information security resources. In a world of exceedingly limited resources, risk assessments have a hard time rising to the top of the budget list. Smaller organizations may not even know where to start, or may not have placed security rule compliance as a big priority. Large organizations may view it as a large, expensive effort that will only lead to more expenses as threats and vulnerabilities are highlighted, especially if the possibility of enforcement is remote.
I think the percentage of risk assessments will increase in the future as enforcement increases. For example, based on these numbers, it appears inevitable that a significant portion of the upcoming 150 audits will find covered entities with no risk assessment, and those may be some of the most likely candidates for referral to the Office for Civil Rights investigators and for the possibility of formal enforcement.
Risk assessments are not easy. It's not a one-size-fits-all solution, and a checklist approach will not serve an organization well. It really does require expending thought and looking at what threats and vulnerabilities are specific to your organization. But there are definitely tools to help, whether it is contracting with an outside expert of which there are some great resources out there, or whether it be using the guidance that has been put out by both the Office for Civil Rights and the National Institute of Standards and Technology. Risk assessments don't need to be as daunting as I think they are to some people. And as for the timing, I would say ideally you should be shooting for an annual assessment. There are no hard and fast rules, but the state of technology and the threats out there change so rapidly that doing, for example, a risk assessment every three years is probably not going to cut it in the eyes of regulators.
Breach Notification Rule
ANDERSON: Only half of the organizations have a detailed plan in place to comply with the HIPAA interim final breach notification rule. Sixty-five percent of organizations say they do not have a portion of their IT budget allocated specifically for breach detection, response and notification costs. Why hasn't development of such a plan been a priority for so many organizations and what are the essential elements of such a plan that they should have in place?
GREENE: I think some organizations may think that they will simply deal with breaches as they arise, and that either they do not need or do not want to proactively seek to detect breaches. It will be interesting to see in the years to come whether some of the large breaches that have been reported so far will lead to enforcement actions, and if this will have an impact on organizations and their planning. If an organization does not have a breach plan, it will not proactively find breaches, and this is really rolling the dice with a potential for hundreds of thousands or millions of dollars in penalties.
On the one side, if you don't learn of the breaches and report them, it's unlikely that the patient will ever learn and so enforcement may be unlikely. But I think it's important to keep in mind that there remains a real chance that at some point, a patient will learn of a breach, file a complaint with OCR, and by the time it comes to your privacy, security or general counsel, the organization may be months over the deadline for reporting. It remains to be seen how OCR will handle such cases, especially once regulations are finalized, which places a greater pressure on OCR to seek financial penalties in cases of willful neglect. Cases where someone in the organization knew about a breach and didn't report it may be prime candidates for willful neglect violations.
I recommend that organizations focus on both the top-down and bottom-up approach to breach detection with a tested response program in place. Top-down would be information security staff proactively auditing records to find potential breaches. There are various ways to do auditing, but it's important to do smart auditing rather than just a completely random sample. There are certainly tools available to do algorithms that may hone in on potential problem areas. The bottom-up approach is ensuring that all staff are trained to recognize what is PHI, because sometimes this is not fully understood, and then understand when PHI may have been breached and to whom to report a breach. Because the breach notification rule imputes the organization with knowledge of any staff learning of a breach, it's important to make sure that there's a good reporting structure in place.
Top Security Priorities for 2012
ANDERSON: According to the survey, two other top priorities for the coming year are improving security awareness and education for physicians, staff, executives and board members and improving mobile device security. Should these indeed be high priority action items for the year ahead for most organizations, and what other steps should be top priorities in the coming year do you think?
GREENE: Well I definitely agree with organizations that these should be top priorities. Training I would recommend be focused on the organization's specific problem areas in additional to overall compliance. If there have been laptop thefts, for example, or improper disposal of hard copies or electronic media, make sure the training addresses those issues rather than just doing the same generic training from year to year. Also, the case for encrypting laptops continues to get stronger and stronger. The bigger challenge [with] mobile devices is probably the non-laptops such as ensuring that PHI is not left on physician-owned iPads or smartphones.
I would add though another top priority should definitely be risk assessments. This is really intended to be the foundation of a security program. If you don't have one, or if your organization's risk assessment is inadequate or out-of-date, you're going to have a hard time responding to a HIPAA audit or investigation.
Lack of Breach Detection
ANDERSON: Finally, did you find any of the other results of the survey to be particularly surprising or concerning?
GREENE: My biggest surprise was that only 25 percent of respondents indicated that they had a health information breach of any size. Even with a significant portion of impermissible uses and disclosures not qualifying as breaches, I expect that far more than 25 percent of organizations are experiencing impermissible uses and disclosures of some size, which have the potential to cause reputational or financial harm to individuals. So either organizations' security practices are better than I thought, which is not really suggested by the rest of the survey responses, or organizations may not be looking very hard.
ANDERSON: Do you think perhaps that some of the survey respondents were just focused on the major breaches that have to be reported to OCR within 60 days, those that affect 500 or more and maybe assume that's what we're looking for, rather than the smaller breaches? Could that be part of it too?
GREENE: I think that could be part of it. There may have been some confusion with respect to the scope of the question, but small breaches also are sometimes the much harder ones to catch. When you've got a large breach that's readily apparent much of the time, whereas often times it requires proactive monitoring to find all the small breaches that are going on in the organization, and that's where I think organizations aren't really putting their resources. They're simply unaware of the volume of small breaches that may be happening. But if there was really this few impermissible uses and disclosures, then the privacy officers and security officers I know would have a lot more time on their hands, which is simply not the case.