Record Details

Is the HIPAA Security Rule Enough to Protect Electronic Personal Health Information (PHI) in the Cyber Age?

The Journal of Health Care Finance

View Archive Info
 
 
Field Value
 
Title Is the HIPAA Security Rule Enough to Protect Electronic Personal Health Information (PHI) in the Cyber Age?
 
Creator Koch, JD, RN, Diane Doebele; Diane Doebele Koch, JD, RN
 
Description Approximately 112 million Americans or nearly one third of the United States population have been affected by breaches of so called “protected health information” (“PHI”) in 2015 alone.  During the last year, almost 100 million records were hacked from the network servers of just three organizations: Excellus Health Plan, Inc. with 10 million individuals affected, Premera Blue Cross with 11 million individuals affected and Anthem, Inc. Affiliated Covered Entity with a record 78.8 million individuals affected.  Based on the information reported in the United States Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) database, which publishes the breaches affecting 500 or more individuals, the majority of breaches or approximately 38% were due to “unauthorized access/disclosure;” however in the top ten breaches (i.e. affecting the most individuals) 90% were due to a “hacking/IT incident.” During the last three years 42.5% of all data breaches were attributable to the healthcare industry.  In the last two years an alarming 91% of healthcare companies reported a data breach.  Almost half of the breaches have been found to be criminal in nature.In a report published by the Ponemon Institute in May 2015 examining privacy and security data for healthcare covered entities and business associates, criminal attacks were identified as the main cause of healthcare data breaches and such attacks have grown over 125% during the last five years.  “Spear phishing” accounts for 88% of these criminal attacks and malware for 78% of all criminal activities.  So what is spear phishing?  It is not a recreational activity.  Spear phishing is a tool cybercriminals use to gain unauthorized access to sensitive information or to install malware on the targeted victim’s computer. This is accomplished by sending emails targeting select groups of people with a common bond, e.g. they work at the same company.  The e-mails appear to be legitimate, i.e. from a source the victim would know or normally get e-mails from (to appear legitimate the criminals sometimes hack into the organization’s computer network).  Victims are asked to click on a hyper link inside the e-mail that bring them to a phony, but genuine looking website, where they are prompted to provide passwords, user IDs, access codes, etc.  Once criminals have this access information, they are able to obtain the sensitive data they are seeking. Spear phishing can also trick victims into downloading malicious codes or malware by clicking on a link embedded in the e-mail. The second cause of health care data breaches was lost or stolen computers; representing 43% of all data breaches. Notwithstanding the fact that criminal activity is now the main cause of data breaches in the healthcare industry, the majority of healthcare security personnel (70%) were more worried about employee negligence than cyberattacks (40%).  Generally breaches are discovered as a result of an audit (69%), notification from an employee (44%) or a patient complaint (30%).  Given the major breaches cited above, the healthcare industry is not responding aggressively enough to thwart these attacks.  Why not?Perhaps because the federal law relating to the security of an individual’s PHI is too lax. The HIPAA Security Rule sets forth national standards to protect individuals’ electronic personal health information (“ePHI”) that is created, received, used, or maintained by a “Covered Entity” i.e. health plans, health care clearinghouses, and health care providers or their respective business associates who transmit health information in electronic form.  The Security Rule requires certain administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.  Within the Security Rule there are both “required” implementation specifications and “addressable” specifications.  While Covered Entities are mandated to take certain steps to protect ePHI, there is flexibility built in with the addressable specifications.  Unfortunately the public is dependent on the Covered Entity to ensure its ePHI is safe and is unaware of what measures the Covered Entity has taken to meet the implementation specifications in the Security Rule.  While HIPAA compliance appears to be an issue being addressed in the health care sector, more must be done to bolster the security requirements intended to protect ePHI in the current environment.The current penalties for HIPAA breaches are not a strong enough deterrent to catalyze change.  Although OCR can impose fines on organizations for unauthorized disclosures of PHI and failing to protect the public against loss, theft and disclosure of PHI, the penalties are ineffective given the increasing number and extent of recent breaches.  While OCR has imposed several hefty fines this past year, in 2014 OCR received nearly 18,000 complaints yet only six formal actions were taken.  Is the decision to take action dependent upon who is affected by the breach?  As for the Anthem breach, penalties are laughable given the magnitude of the breach. Anthem’s annual net income for the year ending December 31, 2014 was $2.5 billion. Is a maximum fine of $1.5 million really a deterrent? Obviously it is barely a slap on the wrist.  Who is protecting the average American? Clearly, the current HIPAA Security Rule is not enough to protect our electronic PHI (“e-PHI”) in the cyber age.
 
Publisher Worldwebtalk.com, Inc.
 
Contributor
 
Date 2016-05-15
 
Type info:eu-repo/semantics/article
info:eu-repo/semantics/publishedVersion
Peer-reviewed Article
 
Format application/pdf
 
Identifier http://healthfinancejournal.com/index.php/johcf/article/view/67
 
Source Journal of Health Care Finance; Vol 43, No 3, Winter 2017
 
Language eng
 
Relation http://healthfinancejournal.com/index.php/johcf/article/view/67/69
 
Rights Copyright (c) 2020 Journal of Health Care Finance