In 2009, 57 hard drives containing unencrypted private health data for more than 1 million people were stolen from a storage closet at a Blue Cross and Blue Shield of Tennessee facility in Chattanooga. Last week, BCBS agreed to pay $1.5 million and enter into a 450-day corrective action plan – on top of the $17 million they have already voluntarily invested in encrypting all “at-rest” data, investigating potential threats to data security and training employees.
Nearly 3 years and $20 million later, many are questioning whether this was enough. There is a good article by Joe Carlson of Modern Healthcare that talks about the reaction to the “first-ever penalties stemming from enforcement of the HITECH Act’s breach-notification rule.”
I’ve seen two primary concerns raised. First, is a $1.5 million fine enough of a deterrent to cause health care firms to take data security concerns seriously and second, where is the compensation to the 1 million patients whose privacy was breached? While both of these are valid concerns, neither addresses the larger concern of: what was the governance policy (or lack thereof) that allowed the lax data-security standards to exist and, where else might private health data be at risk due to lack of communications governance (web, email, postal mail?)
Erika Chickowski, contributor to Dark Reading recently blogged about the challenges that IT managers face in getting funding for data security initiatives”
“…executives put in charge of safeguarding protected health information (PHI) can’t keep up with the risks inherent with increased deployment of electronic health records (EHR) without enough financial backing to get the job done. And the only way these PHI protectors can squeeze that juice from the C-suite is if they make themselves fluent in the language of financial justification.”
While this statement is absolutely right – it’s also absolutely wrong. IT execs shouldn’t be in the position of fighting to get funding for data security initiatives, the C-suite should be ensuring that they have governance policies in place, regularly updated, and enforced, that require data security in all stages of the data lifecycle whether in a live database, an archive, a mailing file, an emailing file, in print, or slated for destruction. These policies need to cover, not only electronic health records, but capture of email addresses and use of data-driven communications that might inadvertently expose an underlying health issue through a personalized communication. As data is used more frequently and effectively in patient communications, governance policies must be defined that cover not only the security of databases but of individual uses of data.
HITECH is only one of the many regulations impacting healthcare data and member/patient communications. As healthcare organizations move towards sales of individual health plans and direct communication with patients, they are as likely to be fined for non-compliance with CAN/SPAM as HITECH. Governance policies must consider data security as well as communication strategy. Developing a comprehensive policy will require collaboration beyond IT with Marketing, Compliance, Customer Service and Operations – and it will be a balancing act. It doesn’t do marketing much good to have secure data if they can’t use it to communicate. Likewise, it doesn’t help IT to create an encrypted at-rest repository only to have marketing or operations send out unencrypted emails, use mobile devices unwisely, or provide data to an unsecured third-party for mailing.
No doubt that healthcare data-breaches are a growing problem. A recent report indicates that 91% of small healthcare practices in North America have suffered a data breach in the past 12 months and the reporting of data breaches increased by 30% overall in 2011 which could be costing the industry an average of $6.5 billion annually. However, the IT aspects are only one part of the picture. IT is only one aspect of the problem. Without a top-down governance approach, personal information will never be secure.