A recent article in InformationWeek warned that experts in the fields of healthcare law, healthcare IT managers and those knowledgeable about information privacy and security all predict a substantial increase in patient data security breaches in 2012. And with this rise in patient data leaks will be the inevitable increase in patient lawsuits for the damages incurred for leaks of such "protected health information" ("PHI").
The article notes another factor that should be giving Information Security Officers at healthcare providers nightmares over the growing probability of these security breaches. Beginning last year, the Office of Civil Rights ("OCR") of the US Department of Health and Human Services has stepped up its oversight duties, issuing a significant increase in fines to healthcare agencies for security lapses.
Lawyers are also cited in the article as recognizing the opportunities to be had for litigation. One predicts a rise in class action lawsuits in 2012, the worst fear of any organization to defend against, caused by the failure to protect patients’ PHI. Class action lawsuits invite an unlimited number of victims to join in a lawsuit instituted by a single patient, thereby exponentially multiplying an organization’s financial exposure.
The article missed a couple of other key points which adds greater emphasis to all these concerns. The Health Information Technology for Economic and Clinical Health Act ("HITECH Act") of 2009 is the law greatly responsible for the increase in OCR enforcement in that it provides an enormous boost of funding for investigative personnel and resources.
Of probably even greater importance, the HITECT Act raised the maximum fines from the $25,000 limit originally imposed by the Health Insurance Portability and Accountability Act ("HIPAA") of 1996, to a maximum of $1.5 million. That’s right, $1.5 million, a 6000% increase.
With such a dramatic jump in the financial risks and stakes, healthcare information security officers are recognizing the need for increasing the size and depth of preventative measures. An article posted last summer on the SearchhealthIT web site noted the primary concern of the healthcare security industry is mobile device security.
This fear is highly understandable. The ever-increasing move toward the ease and flexibility of mobile data devices in the healthcare industry is both enriching the quality of care capable of being delivered to patients but simultaneously increasing the risk of PHI breaches.
The aforementioned InformationWeek article correctly points out that the first two major strategies to be employed by healthcare information security officers must be to:
The ease with which mobile devices can be lost, misplaced, stolen and hacked provides uniquely extraordinary dangers for security officers in the healthcare industry. The ability to immediately remotely locate, lock down and even remotely delete stored data when a mobile device disappears from controlled possession should be at the forefront of the minds of those tasked with the responsibility of keeping PHI secure and safe from uninvited view.
This post was contributed by Steve Treglia, a former New York prosecutor who headed his office’s computer crime unit for 14 years. Steve is Legal Counsel at Absolute Software, the leading maker and distributor of tracking software for stolen mobile digital devices.