Upload
paul-bleaking
View
38
Download
4
Tags:
Embed Size (px)
Citation preview
PRIVACY AND SECURITY OF PATIENT HEALTHCARE INFORMATION USING ELECTRONIC HEALTHCARE RECORD SYSTEMS
By
Paul J. Bleaking
A Capstone Project Submitted to the Faculty of
Utica College
August 2014
In Partial Fulfillment of the Requirements for the Degree of
Master of Science in
Cybersecurity
ii
© Copyright 2014 by Paul J. Bleaking
All Rights Reserved
iii
Abstract
The purpose of this research was to evaluate the United States’ process for guaranteeing
healthcare professionals and hospitals adhere to patients’ rights to privacy law. The main issue
discussed is the effectiveness of the Health Insurance Portability and Accountability Act of 1996
(HIPAA). The policies that are in place by HIPAA also protect personal health information
(PHI) within electronic healthcare record (EHR) systems, as required under the Health
Information Technology for Economic and Clinical Health (HITECH) Act of 2009. The impact
of individual PHI loss includes identity theft, fraud, and blackmail. The impact of data breaches
causes financial impact on both the patient as well as the healthcare industry, which includes
hospitals, physicians’ offices, healthcare insurance companies, and pharmacies. The Department
of Health and Human Services (HHS) created a three-phase process and recommends those
healthcare organizations that would like to implement an EHR system to follow these steps to
help minimize the risk to PHI, provide quality healthcare, and ensure privacy and security
measures are being followed under HIPAA. Encryption of all PHI data should occur to all parties
including federal government websites to help reduce risk of PHI data and to have better security
and privacy of this information. This research determined that initial, remedial, and ongoing
training on EHR systems is critical to the success of protecting PHI.
Keywords: Cybersecurity, Professor Cynthia Gonnella, Privacy, Risks, Data Breaches,
Meaningful Use
iv
Table of Contents
List of Illustrative Materials.................................................................................................................v
Privacy and Security of Patient Healthcare Information using.......................................................... 1
Electronic Healthcare Record Systems ............................................................................................... 1
Health Insurance Portability and Accountability Act of 1996 (HIPAA) ...................................... 3
Risk assessment. ........................................................................................................................... 6
Risk management. ........................................................................................................................ 6
Meaningful use. ............................................................................................................................ 6
Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 ..... 8
U.S. Patriot Act................................................................................................................................. 8
Literature Review ................................................................................................................................. 9
Risks to Patient Electronic Data .................................................................................................... 12
Risk Management ........................................................................................................................... 15
Data Breaches ................................................................................................................................. 18
U.S. Government Healthcare Exchange handling data breaches. ........................................... 20
Private and state governments must report data breaches........................................................ 21
The rise of medical identity theft............................................................................................... 22
Security risk and breach of privacy using HealthCare.gov...................................................... 23
Risk of inappropriate access. ..................................................................................................... 24
Risk of record tampering............................................................................................................ 24
Risk of record loss due to natural catastrophes. ....................................................................... 25
Ramifications of Data Breaches .................................................................................................... 25
Meaningful Use .............................................................................................................................. 25
Benefits of Implementing an EHR system.................................................................................... 27
Comparison of EMR vs. EHR ....................................................................................................... 29
Electronic medical records (EMR)............................................................................................ 30
Electronic health records (EHR)................................................................................................ 30
Discussion of the Findings ................................................................................................................. 30
Meaningful Use .............................................................................................................................. 32
Risks to Patient Electronic Data - Data Breaches......................................................................... 35
Reducing Risk of Data Breaches ................................................................................................... 38
Future Research Recommendations .................................................................................................. 41
Cloud Storage for PHI.................................................................................................................... 41
Danger to National Security........................................................................................................... 41
Conclusion........................................................................................................................................... 42
References ........................................................................................................................................... 44
Appendix A – Impact Results of EHR data breaches in Healthcare organizations ........................ 52
Appendix B – Example of Risk Assessment Report ........................................................................ 54
Appendix C – HIPAA’s 18 PHI Identifiers’ ..................................................................................... 56
v
List of Illustrative Materials
Figure 1 – User satisfaction has fallen as much as 12% from 2010 to 2012 ......................11 Figure 2 – Improvements made in EHR................................................................................11 Figure 3 – Top five PHI Breaches ........................................................................................13
Figure 4 – Total PHI Breaches from 2010-2013 ..................................................................13 Figure 5 – PHI Data Breaches in 2013 by type.....................................................................14
Figure 6 – PHI Data Breach by Source/Device in 2013.......................................................15 Figure 7 – Five Security Components for Risk Management..............................................16 Figure 8 – Sample of Threats, Controls, and Vulnerabilities...............................................17
Figure 9 – NIST SP 800-30 Impact Definition .....................................................................18 Figure 10 – Stages of Implementing EHR ............................................................................26 Figure 11 – Medicare incentive payments adopting EHR program ....................................28
Figure 12 – Stages of Implementing EHR ............................................................................33 Figure 13 – Types of PHI Lost or Stolen in 2011-2013 .......................................................35
Figure 14 – Information Compromised in a Security Breach ..............................................36
1
Privacy and Security of Patient Healthcare Information using
Electronic Healthcare Record Systems
In 1996, President Clinton signed the Health Insurance Portability and Accountability Act
(HIPAA) into law requiring healthcare insurance companies and providers to adhere to a set of
guidelines providing privacy to patients’ records (U.S. Congress, 1996). The U.S. Patriot Act and
the Health Information Technology for Economic and Clinical Health (HITECH) Act were both
enacted to help protect patients’ Electronic Health Records (EHR) from vulnerabilities, and to
enhance the privacy and security of those records. The healthcare industry must establish and
maintain strong policies to protect the privacy and security of electronic medical records.
When HIPAA came into law in 1996, it required the Secretary of the U.S. Department of
Health and Human Services (HHS) to develop regulations protecting the privacy and security of
an individual’s health information. To fulfill the requirement, HHS created the HIPAA Privacy
Rule and HIPAA Security Rule (Health and Human Services (HHS), 2003). The Privacy Rule
assured protection of individual health records while allowing the flow of the health information
needed to provide and promote high quality health care, and to protect the public’s health and
well-being (HHS, 2014). For example, when a patient visits a healthcare facility for a routine
checkup the professional staff will be using an EHR system to access the patient’s health records.
The information in the patient’s medical records must remain confidential.
The Privacy Rule protects all individually identifiable health information held or
transmitted by a covered entity or healthcare facility, in any form or media type (HHS, 2003,
“Understanding Health Information Privacy,” para. 1). The HIPAA Security Rule is a national
set of security standards for protecting certain health information that is held or transferred in
electronic form (HHS, 2003, The Security Rule, para. 1).
2
The U.S. Patriot Act passed into law in 2001, also pertains to EHR. Candice Teitlebaum
and Aaron Collins, Canadian attorneys specializing in North American EHR say, “the USA
Patriot Act permits U.S. law enforcement officials, for the purpose of an anti- terrorism
investigation, to seek a court order that allows access to the personal records of any person
without that person’s knowledge, as long as the relevant records are stored in the United States”
(Teitlebaum & Collins, 2008, p. 2, para. 3). Problems arise when patients that reside in Canada
or Mexico have their records stored in the United States. With the U.S. Patriot Act, the U.S.
Government has the right to look at personal health records because the records reside in the
United States (Teitlebaum & Collins, 2008).
Emma Roller (2013), editorial assistant for slate.com, a general-interest publication
offering analysis and commentary about politics, news, business, and technology, posted on
Slate’s blog in reference to 2006 amendment of section 215 of the U.S. Patriot Act. According to
Roller, the amendment modified the rules on records searches to read, “Foreign Intelligence
Surveillance Act (FISA) must be relevant to an authorized preliminary or full investigation to
obtain foreign intelligence information not concerning a U.S person or to protect against
international terrorism or clandestine intelligence activities.” (Roller, “What is Section 215,”
para. 6). Roller also mentions that this section allows the Department of Justice (DOJ) to conduct
audits on Section 215 to assess its effectiveness.
In a report titled, “PRIVACY, TECHNOLOGY AND NATIONAL SECURITY: An
Overview of Intelligence Collection,” Robert Litt (2013) United States Intelligence Community,
Office of the Director of National Intelligence (ODNI) general counsel, wrote:
The Supreme Court has held that if you have voluntarily provided this kind of
information to third parties, you have no reasonable expectation of privacy in that
3
information. All of the metadata we get under this program is information that the
telecommunications companies obtain and keep for their own business purposes. (Litt,
IV. FISA Collection, 2013, para. 12)
Litt explained that while the telecommunications companies use the data for internal purposes,
the intelligence community collects the valuable data as a security measure to prevent another
attack such as the 9/11 terrorist attack (airplanes were flown into the World Trade Center
buildings in New York causing the buildings to collapse while occupied by more than 2,000
occupants. Litt demonstrates that the criticisms by the 9/11 commission included the lack of
records to connect a U.S. hijacker in California with al-Qaida in a safe house in Yemen (Litt,
2013). Given that the 9/11 criticisms cited a lack of connecting information; it is unlikely that the
U.S. would entertain ceasing the collection of data on non-U.S. citizens while accessing
healthcare within the U.S.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
It is important to understand the history of the HIPAA and HITECH laws before moving
on to review published material concerning the security of the data collected and audited within
the governing entities that are responsible for their oversight. Daniel Levinson , Department of
Health and Human Services, Office of Inspector General, in a 2013 report, “Not All
Recommended Fraud Safeguards Have Been Implemented In Hospital EHR Technology” wrote:
The Health Information Technology for Economic and Clinical Act (HITECH), enacted
as part of the American Recover and Reinvestment Act of 2009 (ARRA), supports the
development of a nationwide health information technology infrastructure that allows for
the electronic use and exchange of information. (Levinson, 2013, p. 1, para. 4)
4
Levinson also pointed out that since the passing of the HITECH law, the Centers for Medicare
and Medicaid (CMS) have made incentive payments totaling $13.5 billion dollars to ensure
professionals and hospitals demonstrate the meaningful use of EHR Technology (2013, p. 2,
para. 1).
The Office of the National Coordinator for Health Information Technology (ONC), on its
website HealthIT.gov, listed benefits to health care providers utilizing an EHR system. The
benefits included: improve quality and convenience of patient care, increase patient participation
in their care, improve accuracy of diagnoses and health outcomes, and improve care
coordination, and increase practice efficiencies and cost savings (Office of the National
Coordinator for Health Information Technology (ONC), 2014, “Benefits of Electronic Health,”
para. 3. ONC maintains HealthIT.gov to assist health care providers when they need help
adopting the use of EHR.
Security risks and privacy issues are a top concern when healthcare facilities and
physicians first implement an EHR system. Using an EHR system will allow any professional
employee that works for a medical facility to gain access to patient records. Professional
employees must abide by HIPAA Privacy and Security rules as well providing awareness and
training to these employees. In a 2011 dialog to patients, Leon Rodriguez, HHS office of Civil
Rights (OCR), Director states, “the HIPAA Security Rule requires that health care providers set
up physical, administrative, and technical safeguards to protect your electronic health
information” (Rodriguez, 2011, para.6). Rodriguez goes on to say some EHR privacy measures
include: passwords to limit access to information, encryption to make health information
unreadable without a proper key and an audit trail to track access and changes (Rodriguez, 2011,
para. 6).
5
The purpose of this research was to evaluate the United States’ process for guaranteeing
healthcare professionals and hospitals adhere to patients’ rights to privacy law. In 2014, Erin
McCann, associate editor for Healthcare IT News, reported that many healthcare breaches go
unreported which skews final numbers. McCann also reported, Ted Kobus, a New York-based
attorney and an expert when dealing with privacy and data breaches said, “in reality business
associates (BA) are very much lagging behind. BA is no t as prepared as they should be”
(McCann, 2013, “HIPAA breaches in top,” para. 8). HHS (2013) defines BA as “a person or
entity that performs certain functions or activities that involve the use or disclosure of protected
health information on behalf of, or provides services to, a covered entity” (Business Associates
section, para. 3). Examples of BA associates can be healthcare clearinghouses that process
claims; accounting firms whose services to healthcare facilities and physicians requires access to
protected patients’ EHR, pharmacists’ networks, and independent medical transcriptionists that
provide services to doctors (HHS, 2013).
In addition to securing patient data physically, another important area of concern is
security awareness training for all employees so they understand their role in securing patients’
health records secure. HIPAA and HITECH laws demonstrate the United States recognizes the
importance of security and privacy of patients’ records in EHR systems. Research into the
effectiveness of these laws, as well as the security of EHR systems on the Healthcare network
infrastructure, were important goals of this study. Documented healthcare data breaches among
providers and their business associates were largely responsible for prompting this research.
What are the HIPAA law guidelines for reporting data breaches? How are healthcare data
breaches most likely to occur? How is the U.S. government Health Care Exchange handling its
6
own data breaches? How can the U.S. government amend HIPAA to reduce the likelihood of
healthcare data breaches?
As the healthcare industry moves forward with the implementation of EHR systems,
privacy is a top concern regarding personally identifiable information (PII) and protected health
information (PHI). HHS adopted a ten-step plan to help healthcare organizations and physicians
adhere with HIPPA regulations to protect individual privacy and security while implementing
EHR. The three areas of concern that healthcare organizations and physicians need to address
while following the ten-step plan outlined by ONC are risk assessment, risk management, and
meaningful use.
Risk assessment. The ONC, on its website HealthIT.gov, defined security risks, which
requires covered entities conduct a risk assessment of their healthcare organization (ONC, 2012,
What is Risk Assessment, para. 1). Taking this measure will not only help the organization
ensure that it is in compliant with HIPAA’s administrative, physical, and technical safeguards
but it will also help reveal areas where an organization’s PHI could be at risk.
Risk management. The CMS, on its website cms.gov, defined risk management as a
process used to identify and implement security measures to reduce risk to a reasonable and
appropriate level within a covered entity (CMS, 2007, p. 4, para. 5).
Meaningful use. The CMS, on its “cms.gov” website, defined meaningful use as
healthcare organizations and physician offices that use EHR technology to improve patient care
and meet 18 of 22 required objects. Those that meet these requirements may receive financial
incentive payments (CMS, 2012).
One significant aspect of the HIPAA law is that it is a multi-step approach geared to help
improve the EHR system as well as protecting patients’ privacy (U.S. Congress, 1996). A benefit
7
of HIPAA law is that it helps reduce fraudulent activity and improve collection of patients’
records using EHR systems. The HIPAA Privacy & Security Rules were the first federal
standards for protecting the privacy and security of PHI. Scott Withrow, an American attorney
specializing in North American healthcare law for twenty-four years, informs the purpose
security rules of PHI were to maintain the appropriate policies and procedures to prevent
unauthorized access (Withrow, 2010). Both of these rules regulate how covered entities use and
disclose PHI through risk assessment, development, implementation, and compliance to
Information Systems Security (INFOSEC) policies. A healthcare facility must assess all security
risks and adopt measures to protect the patients’ records. There are nine basic elements of a risk
assessment, which could help assure the privacy and security of patients’ records. Below are nine
risk assessments that healthcare facilities must follow when creating and designing ways to
protect the privacy and security of patients’ healthcare records:
Identify where the PHI is stored, received, maintained, or transmitted
Identify and document potential threats and vulnerabilities
Assess current security measures
Determine the likelihood of threat occurrence
Determine the potential impact of the threat
Assign a level of risk
Finalize your documentation
Periodic review and updates to the risk assessment
Gap analysis report and remediation action plan. (Scott, 2012, Risk Assessments,
para. 11-19)
8
Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
The purpose of the HITECH Act was to provide support when developing a nationwide
Healthcare Information Technology Infrastructure that would allow the use of electronic devices
to exchange patient records. Its goal was to achieve widespread adoption of EHRs by 2014. The
ONC had the responsibility of coordinating the adoption, implementation, and exchange of
EHRs (Levinson, 2013, “Not all Recommended Fraud,” p. 4, para. 3). Organizations need to
have a corrective action plan in place before security breaches compromise patient medical
records. Internal staff or external hackers can be to blame for confidential EHR breaches. In
2009, HHS revised section 1176(a) of the Social Security Act by establishing these categories:
Four categories of violations that reflects increasing levels of culpability.
Four corresponding tiers of penalty amounts that significantly increase the
minimum penalty of each violation.
A maximum penalty amount of $1.5 million for all violations of an identical
provision (HHS, HITECH Act, para. 3).
U.S. Patriot Act
President George W. Bush signed the U.S. Patriot Act into law in October 2001 and then
President Obama amended this Act in 2011 to include the PATRIOT Sunsets Extension Act . The
amendment that President Obama signed into law allows the federal government to do roving
wiretap searches of business records and conduct surveillance of electronic transmission of
information. This law also allows U.S. law enforcement to seek a court order if they suspect any
terrorist groups of acquiring personal records of any person without that person’s knowledge as
long as those records are stored in the United States of America (U.S. Department of Justice,
Office of Justice Programs, 2001). The purpose of the U.S. Patriot Act is to improve the
9
country’s counter-terrorism efforts, which would allow law enforcement to use surveillance tools
against more crimes of terror.
The Act enabled investigators to gather information when looking into the full range of
terrorism-related crimes, including: chemical-weapons offenses, the use of weapons of
mass destruction, killing Americans abroad, and terrorism financing. With this Act, law
enforcement will be able to gather any data or information (Department of Justice, 2006,
The USA Patriot Act, p. 1, para. 5).
Literature Review
The HITECH Act mandates that healthcare facilities and physicians adopt an EHR
system by 2015, or lose federal subsidies and be penalized with diminished Medicare and
Medicaid payments. These healthcare facilities and physicians must plan, implement, and
evaluate their EHR system while adhering to the Privacy and Security Rules of HIPAA.
Healthcare facilities and physicians often underestimate the financial commitment and the time
required to implement a successful and secure EHR system. In 2010, John Commins, an editor
for HealthLeader Media, an online publication for healthcare executives and professions,
reported on a Government Accountability Office student of the Department of Defenses’ (DoD)
attempt to transition to an electronic medical records (EMR) system. Commins wrote,
“Shortcomings in the Department of Defense’s failed 13-year, $2 billion transition to electronic
medical records were largely due to poor planning and execution, and a failure to appreciate the
significant complexity of the program” (2010, para. 1). In 2009, Athenahealth, a leading provider
of cloud-base Best in KLAS electronic health record, practice management, and care
coordination services to medical groups and health systems summarizes the impact of having an
EHR, which will provide better quality health care:
10
To improve the quality of our health care while lowering its costs, we will make the
immediate investments necessary to ensure that, within five years, all of American’s
medical records are computerized. This will cut waste, eliminate red tape, and reduce the
need to repeat expensive medical tests. However, it just will not save billions of dollars
and thousands of jobs; it will save lives by reducing the deadly but preventable medical
errors that pervade our health-care system (Athenahealth, “A Summary of the,” para 2).
In 2009, Jennifer Horowitz, a senior director for HIMSS Analytics, reported that more
than 57% of providers said they now have a greater level of awareness of data breaches and
breach risk. Horowitz went on to say about 73% of organizations now have a greater level of
awareness, understanding that their facilities or physician’s office might be vulnerable to a data
breach. Horowitz also summarized in the report that more than 90 % of those respondents
surveyed said that their organization has changed, or is in the process of planning to change,
policies and procedures to prevent and detect data breaches (p. 10, para. 4).
In 2013, Brian Eastwood, a senior editor for CIO, an online magazine for technology
executives, reported the federal government was pleased to point out that more than 80% of
healthcare facilities and more than 50% of physicians were using EHR systems. In the article,
Eastwood explained:
A number of studies suggest that healthcare providers are increasingly dissatisfied with the EHR
systems they have, with nearly forty percent saying they wouldn’t recommend their EHR to a
colleague and more than thirty percent saying they are buying a new EHR system to replace
existing software. (Eastwood, “Why Healthcare Providers,” para. 1-2)
In 2013, Anuja Vaidya, editor for Becker’s Hospital CIO, an online magazine for
technology executives, reports of a survey conducted by American College of Physicians and
11
American EHR partners of 4, 279 clinicians between 2010 through 2014. According to Vaidya,
the survey found that user satisfaction fell 12% from 2010 to 2012. The chart in Figure 1 shows
the summarized findings of the study (Vaidya, 2013, “EHR user satisfaction has,” para. 3).
Figure 1. Chart shows user satisfaction has fallen as much as 12% from 2010 to 2012.
The chart in Figure 2, completed in November 2012, represents nine areas of improvement for
EHR systems by 375 physicians, dentist, and other healthcare providers who agreed to take this
survey (Vaidya, 2013, “9 Areas of Improvement,” para. 3).
Figure 2. Improvements made in EHR.
0 10 20 30 40 50 60 70
Clinician who would not recommend
EHR to other colleagues
Clinicians who are satisfied with EHR to
improve care
Clinicians who were very dissatisfied
with EHR decrease workload
Clinician who have not returned to
normal productivity
Dissatisfaction with ease of use of EHR
systems
Satisfied with ease of use of EHR
systems
2012
2010
010203040506070
2012
2012
Percentages
12
The need to safeguard PHI has been under scrutiny as healthcare facilities and physicians
migrate from paper records to electronic form. When implementing this change healthcare
facilities and physicians must abide by the HIPAA Privacy and Security rule as they will apply.
Large healthcare facilities lead the way when it comes to adopting EHR and physicians are
gradually implementing this change in their offices (Godart, 2014, p. 5, para. 1).
Even in 2006, National Institute of Standards and Technology (NIST), Information
Security Handbook: Guide for Managers mention that regardless of the size, all healthcare
facilities and physician offices are responsible for developing internal policies around the
security and protection of patient information as well as what procedures must be taken if their
patient data has been breached. According to Bowen, Hash, & Wilson NIST offer guidelines for
securing and protecting all types of electronic data and should be used when developing
information security policy (INFOSEC). NIST Special Publication 800-100 titled, “Information
Security Handbook: A Guide for Managers,” provides an overview for managers on how to
establish and implement INFOSEC policy programs to their business needs (Bowen, Hash, &
Wilson, 2006).
Risks to Patient Electronic Data
In 2014, Didier Godart, an editor for Redspin, an online publication for meaningful
healthcare IT security, created a breach report for the year 2013 regarding PHI reports. Risk to
PHI continues to rise with technology quickly advancing. Healthcare facilities and physicians are
using mobile devices to view patient information wirelessly via mobile devices. A single change
in Information Technology (IT) infrastructure or application can create a multiplicity of new
vulnerabilities, oversights, and/or mistakes (Godart, 2014, Para. 1-4, p. 16).
13
Godart goes on to report the five largest PHI data breaches in 2013 made up 85.4% of the
total reported breaches. Figure 3 lists the top five PHI healthcare facilities breaches. The chart
outlines data breach locations and how they occurred (Godart, 2014, Para. 1, p. 7-8).
Figure 3. Top five PHI Breaches, 2013 (Godart, 2014, p. 7-8, para. 1)
The top three breach incidents resulted as theft of portable computing devices, which
contain huge amounts of unencrypted PHI data. The most egregious of these occurred at
Advocate Health and Hospitals where four desktop computers were stolen from an office that
held over 4 million records (Godart, 2014, Para. 1, p. 8). At Horizon Healthcare Services two
laptops where stolen from the company’s headquarters, which held unencrypted PHI data that
contained patients’ personal data, potentially including the individuals’ social security numbers.
It is obvious that if healthcare organizations and physicians’ offices encrypt PHI data, then all of
this could have avoided. Figure 4 shows the impact of PHI breaches from 2010-2013 (Godart,
2014, p. 6, para. 2).
Figure 4. Total PHI Breaches from 2010-2013 (Godart, 2014, p. 6, para. 1).
14
In 2013, HHS' Office of Civil Rights (OCR) received reports of over 199 large PHI breaches
influencing over 7 million patients. This represents a 137% rise in the number of healthcare
records affected by PHI breach compared to 2012. For example:
EHR Meaningful Use Incentive program inspired a number of HIPAA security
HSRA projects at hospitals and other providers.
OCR published their HIPAA audit protocol and completed 115 audits of various
types of covered entities until putting the initiative on postponement in 2013.
Theft was still the largest cause of PHI breach in 2013. “Stolen devices made up over
45% of incidents reported and impacted 83.2% of all patient records breached” (Godart, 2014, p.
9, para. 3). Figure 5 shows the type of PHI data breaches that occurred in 2013.
Figure 5. PHI Data Breaches in 2013 by type (Godart, 2014, p. 9, para 3).
Figure 6 noted that in 2013, 34.7% of all PHI breaches occurred on a laptop or other
portable device, the easiest types of devices for thieves to steal or employees to lose (Godart,
2014, p. 12, para. 1-2).
15
Figure 6. PHI Data Breach by Source/Device in 2013 (Godart, 2014, p. 12, para. 1).
Risk Management
The Security Management Process standard in the Administrative Safeguards section of
HIPAA’s Security Rule requires Healthcare Common Procedure Coding System (HCPs) to
implement policies and procedures to prevent, detect, contain, and correct security violations
(DHS, 2013). This process standard has four required implementation specifications including
risk analysis and risk management. During the risk management planning, healthcare providers
should consider five security components within their EHR security infrastructure. Three of
these safeguards are physical, administrative, and technical in nature. The fourth component is
policies and procedures, or written policies and procedures to assure the practice of HIPAA
requirements and guidelines on a day-to-day basis with respect to protecting patient information.
The final component, organizational requirements, requires healthcare facilities and physicians to
have business associate agreements with third party vendors outlining privacy and security
requirements and expectations as shown in Figure 7 (HHS, 2012, p. 12).
16
Figure 7. Five Security Components for Risk Management (HHS, 2012, p. 12, para. 1).
In 2007, (DHS) and (CMS) HIPAA Security mentions that all electronic protected health
information (EPHI) created, received, maintained, or transmitted by a covered entity are subject
to the Security Rule (HHS, p 4. para. 3). According to HIPAA, Risk Analysis requires HCPCSs
to, “conduct an accurate and thorough assessment of the protection risks and vulnerabilities to
the confidentiality, integrity, and availability of EPHI held by the covered entity” (HHS, p. 2,
para. 3). The required implementation for risk management requires HCPCSs to implement
security measures sufficient to reduce risk and vulnerabilities to a reasonable and appropriate
level. The Security Rule does not require specific risk analysis or risk management methodology;
however, HIPAA uses NIST special publication 800-30 for guidance (Bowen, Hash, & Wilson,
2006).
Ryan-Nichols Equation for measuring information system risk as a function of Threats,
Vulnerabilities, Impact, and Countermeasures, this is a qualitative equation used to define how
likely PHI can be lost within a healthcare facility or physician’s office because of implementing
17
an EHR system (Ryan, 2005, p. 2). Risk is a measure of applied threat, potentially through a
known or unknown vulnerability that will have an impact on the healthcare facility or
physician’s office. Examples of risks are “unauthorized (malicious or accidental) disclosure,
modification, or destruction of information, unintentional errors, and omissions, IT disruptions
due to natural or man-made disasters” (DHS, 2007, pp. 4-5, para. 5). Threats as described in
NIST SP800-30 (NIST Computer Security Division (CSD), 2012) have adverse effects on
organizational operations, assets, and individuals. Threats to information systems can include
purposeful attacks, environmental disruptions, human and machine errors (p. 1, para. 1). Gary
Stoneburner, Alice Gogun, and Alexis Feringa, NIST (2012) stated that Vulnerabilities are
defined as “is a weakness in an information system, system security procedures, internal
controls, or implementation that could be exploited by a threat source. Most information system
vulnerabilities can be associated with security controls that either have not been applied either
intentionally or unintentionally” (“Risk Management Guide for,” p. 18 para. 3). Terrell Herzig
(2011), editor for American Health Information Management Association in an article, “Security
Risk Analysis and Management: an Overview,” provided examples of such threats and
vulnerabilities that could take place (See Figure 8).
Threat Control Vulnerability
1. Theft or loss File encryption is used to protect some of the data stored on the
hard drive.
Power-on passwords and other access control devices are not being used.
Security devices (physical or technical) for tracking
lost or stolen laptops are lacking.
2. Malicious code (virus,
worm, Trojan horse,
spyware, etc.)
Antivirus software is loaded on
laptops.
Antivirus software does not get updated regularly.
Users have local administrator rights and can
disable or turn off the antivirus software and
download executable programs.
Figure 8. Sample of Threats, Controls, and Vulnerabilities (Herzig, 2011, p. 5, para. 2).
18
Terrell Herzig (2011) provides examples impacts that could occur to an organization (See
Figure 9). Impact is define by DHS,CMS, 2007 it can cause “financial cash flow, loss of physical
assets, temporary loss or unavailability of EPHI, Permanent loss or corruption of EPHI, and
unauthorized access to or disclosure of EPHI” (HHS, 2007, p. 11, para. 3).
Magnitude of Impact Impact Definition
High Exploitation of the vulnerability (1) may result in the high costly loss of major tangible assets or resources; (2) may violate, harm, or impede an organization's mission, reputation, or interest significantly; or (3) may
result in human death or serious injury.
Medium Exploitation of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an
organization's mission, reputation, or interest; or (3) may result in human injury.
Low Exploitation of the vulnerability (1) may result in the loss of some
tangible assets or resources or (2) may affect an organization's mission, reputation, or interest noticeably.
Figure 9. NIST SP 800-30 Impact Definition (Herzig, 2011, p. 6, para. 3).
See Appendix A for an explanation of the impact data breaches on healthcare organizations and
physicians’ offices. See Appendix B provides an example of a risk assessment report that
businesses can incorporate to reduce the risks of data breaches.
Data Breaches
The use of an EHR system in the healthcare field does pose the risk of having intentional
or unintentional release of secured information such as PHIs to an un-trusted environment. All
healthcare workers must take the necessary steps to prevent any data breaches. Thomas Fleeter,
MD and David Sohn, MD, members of the American Academy of Orthopedic Surgeons Liability
Committee, wrote an article, “Potential Liability Risks of Electronic Health Records .” The
authors provided the following steps that healthcare workers should practice:
19
Nurses or physicians leaving a room while the patient is still in the room should
log off the EHR system
Nurses and physicians should have access to only their patients’ medical records
and no other patients’ (2012, para. 10- 13).
According to Fleeter and Sohn, electronic data is more easily stolen, which places more
responsibility on healthcare facilities and physicians to guard against data breaches. They wrote:
For example, several computer disks were stolen from a medical office in Oregon in
2009, affecting more than 365,000 patients. A lawsuit was filed, based on patient
concerns of future losses and the need to monitor credit reports. Ultimately, the case
failed, but not because the defendants did not owe a duty for better data protection. It
failed only because in that case, no harm actually came to the plaintiffs. It is not hard to
see, however, that providers have a duty to keep electronic health data secure. (2012,
“Potential Liability Risks of,” p. 3, para. 4).
The Health Resources and Services Administration (HRSA) reported the three most
common risk factors of EHR are inappropriate access, record tampering, and loss due to natural
catastrophes (HRSA, 2014, “What are the privacy”, p. 1, para. 2). Bill Kleyman (2013), a
virtualization architect at MTM technologies, Inc., in his article, “Healthcare data breaches:
reviewing the ramifications,” discussed that even though many organizations forget that not all
data breach points occur in the technology end of the world, it can happen with a misplaced
backup that contains important data on it. Two examples Kleyman provided were the Utah
Department of Health where involving the breach of 780,000 files ; a weak password policy was
blamed, and the second where 315,000 files were breached at Emory Healthcare, due to theft of
20
10 backup disks removed from an unlocked storage facility door (HealthITSecurity, “Healthcare
data breaches.” para. 3 & para. 7).
U.S. Government Healthcare Exchange handling data breaches. Eric Boehm (2013),
reporter for Watchdog.org website, wrote most state run health exchange websites will be
covered by state laws that require notification when Government databases become breached by
hackers. But there is no law requiring notification when databases run by federal government are
breached, and even though DHS was asked to include a notification provision in the rules being
drawn up for the new federal exchange, it declined to do so (para. 2).
Eric Boehm goes on to mention that other individuals’ privacy such as HIPAA do not
apply to the government run exchange, only to health providers and insurance companies
operating within the exchange (para. 3). Boehm also quoted a comment from his article in which
Deven McGraw, director of the Health Privacy Project at the Center for Democracy and
Technology said, “The notification requirement is a very important part of overall security.
People should be told when their information is at risk (“Feds not required to,” para. 5). Another
one of Boehm’s major concerns was insider breaches, such as an employee potentially stealing
social security numbers, never have to be reported (para. 17).
Fox (2014) published an article on its web site in which Kevin Mitnick, known as the
world’s greatest hacker, was interviewed regarding the security of ObamaCare’s Helathcare.gov
website. Mitnick called the protections built into the site shameful and minimal (para. 1).
Mitnick concluded with saying that numerous security vulnerabilities are associated with the
Healthcare.gov website and it is clear that the management team security was not a priority for
the management team (para. 4).
21
In another Fox (2013) article on Foxnews.com, security experts David Kennedy, CEO of
the information firm, TrustedSEC and Fred Chang, distinguished chair in cyber security at
Southern Methodist University, testified before the Senate saying that HealthCare.gov is at risk
and the website could be hacked or already has been hacked (para. 2 & 3). David Kennedy went
on to say that HealthCare.gov is lacking security built on this site, which does not house medical
records, but it does integrate deeply with other sites, including ecommerce information, and
houses a vast array of data that present a target (para. 8). In the same article Avi Rubin, technical
director of John Hopkins University’s Information Security Institute, described how the
healthcare industry is actually the furthest behind in terms of security (para. 12 & 13). These
cyber security experts advised Americans should not use Healthcare.gov until security issues
were fixed.
Private and state governments must report data breaches. John Fund (2013), editor
for national review online website, wrote an article “Hiding the hacking at Healthcare.gov”
where the U.S. Government does not have to report security breaches unless it decides it wants
to, despite the fact that private companies and states are required to publicly disclose any data
breach incidents (para. 5). A September 13, 2013 article, written by Jackie Crosby of the
Minnesota Star Tribune demonstrated that data breaches in healthcare exchanges are occurring.
Crosby reported on a data breach that occurred at the Minnesota state’s healthcare exchange:
A MNsure employee accidentally sent an e-mail file to an Apple Valley insurance
broker’s office on Thursday that contained Social Security numbers, names, business
addresses and other identifying information on more than 2,400 insurance agents. An
official at MNsure, the state’s new online health insurance exchange, acknowledged it
had mishandled private data (“Errant e-mail creates security,” para. 1-2).
22
The rise of medical identity theft. Michael Ollove (2014), senior health policy reporter
for Stateline Pew Charitable Trust, posted an article on pewtrusts.org regarding the rise of
medical identity theft. In the article Ollove referred to a survey conducted by Identity Theft
Resource Center in which breaches of medical records involving personal information accounted
for 43 percent of all records breaches involving personal information reported in the U.S. in 2013
(“The Rise of Medical,” para. 2). Pam Dixon, founder and executive director of World Privacy
Forum, announced that medical identity theft is a growing and dangerous crime that leaves
victims with a tough road to recovery with financial repercussions as well as incorrect
information added to their personal medical files due to the hackers (para. 4). Pam Dixon went
on in her discussion and provided two examples of how incorrect information can end up in a
person’s medical file. In these cases, both are insider threat driven.
A psychiatrist in Massachusetts created false diagnoses of drug addiction and
severe depression for people who were not patients of his so that he would be able
to submit medical insurance claims for psychiatric sessions that never transpired.
One man discovered this false diagnosis when he happened to apply for a job. He
had not even been a patient (para. 8).
An Ohio woman working in a dental office gained access to patients’ protected
information of Medicaid so that she could illegally obtain prescription drugs
(para. 9).
The article went on to say that according to Sam Imandoust, Attorney at Law at Imandoust Law
Firm and Legal Analyst at Identity Theft Resource Center, perpetrators use different techniques
to obtain the information they are looking for. It can range from stealing laptops to hacking into
computer networks (para. 12).
23
Security risk and breach of privacy using HealthCare.gov. Kelsey Harris and Rob
Bluey (2013), editors for the Daily Signal website, reported on a security flaw with the
government run website HelathCare.gov. The details were that Justin Hadley from North
Carolina had logged into HealthCare.gov to look at different healthcare packages since his health
insurance ran out. He discovered while still being logged on to HealthCare.gov he had received
eligibility letters sent to him by mistake which should have gone to an individual in South
Carolina. Elected officials in his state directed Justin Hadley to contact HHS, which administers
HealthCare.gov. Hadley made the contact and he has yet to hear back from HHS. In the
meantime, the letters remained listed under Hadley’s account on the HealthCare.gov website.
In the same article, and in contrast to the mishandling of data for Hadley, a spokesperson
from HHS told the associated press that when consumers filled out their online applications they
could trust that stringent security standards were protecting the information they were providing.
The spokesperson also advised that the technology underlying the application process had been
tested and deemed secure (“HealthCare.gov Users Warn of,” p. 3, para. 2). Heritage
cybersecurity expert, Steven Bucci, director of the Douglas and Sarah Allison Center for Foreign
Policy Studies, warned that users of HealthCare.gov are leaving their personal information
unsecured. Steven Bucci went on to say that once the information goes out over the system, it is
vulnerable and the HealthCare.gov website’s security standards were weak (p. 3, para. 5 & 6). In
the meantime, while all of the confusion was going on with Hadley’s attempts to access the
federal healthcare exchange, his current plan with Blue Cross Blue Shield expired. Hadley was
offered an opportunity to auto enroll in a new health insurance plan. That option would have
increased his monthly premiums by 92 percent and doubled his deductible (p. 4, para. 2).
24
Chris Jacobs, Heritage health policy analyst, analyzed the letters that Hadley had received
and noted the irony of HHS’s promise that the federal healthcare exchange protects the privacy
and security of personally identifiable information. Jacob’s said:
Justin’s story demonstrates how Obamacare’s flaws go well beyond a bungled website.
From canceled coverage to skyrocketing premiums to the federal government’s failing to
protect Americans’ personal data, the damage Obamacare has inflicted is becoming more
and more clearer each day (p. 4, para. 6).
Risk of inappropriate access. HRSA (2014) suggests unauthorized users can gain access
to EHR to collect PHI data or authorized users violate the appropriate use conditions. One
example offered was a professional staff member leaving a patient’s record open and a passerby
views data on the screen or manipulates the data (p.1, para. 5). Another example was poor
network security allowing a hacker to gain access to user credentials. With the credentials the
hacker then could bypass the access control protections that would otherwise be prevent access
(HRSA, “What are the privacy”, p. 1, para. 5). The ability to make changes to EHR records
depends upon the rights assigned to a user. Users that have privileges can add, delete, or even
modify entire records. A server account allows direct data access to make changes
instantaneously, rather than using an EHR to pass through (p. 2, para. 1).
Risk of record tampering. HRSA (2014) explains this risk as a user being able to make
changes to PHI records such as adding, delete, or modify data or an entire PHI record. Server
accounts allow direct access to PHI data files while they are stored on EHR servers (HRSA,
“What are the privacy,” p. 2, para. 1).
25
Risk of record loss due to natural catastrophes. HRSA (2014) lists fires, floods, or
other environmental disasters at physical locations as the types of natural disasters that can result
in complete loss of PHI records (HRSA, “What are the privacy,” p. 2, para. 2).
Ramifications of Data Breaches
Bill Kleyman (2013) reminds that if a breach involves more than 500 individuals, the
organization must make the announcement and alert the media. Regardless of the size, however,
notifications have to go out to the patients that were affected (p. 2. para. 4). After a healthcare
organization or physicians’ office has a data breach it can leave horrible public relations (PR),
affects its image, and reputation (p. 2, para. 5-6).
Meaningful Use
HHS (2011) explained that eligible professionals (EPs) and hospitals had to demonstrate
meaningful use of EHR to qualify for incentive payment through CMS. Eligible EPs and
hospitals that qualified for Medicaid EHR incentive program did not need to meet the same
requirements in the first year of participation, but had to adopt or upgrade to an EHR system to
receive incentive payments. The meaningful use program was set to evolve in three stages over a
5 year span from 2011 through 2016. Figure 10 shows the 3 stages healthcare organizations and
physician’s offices must follow when implementing an EHR system (ONC, para. 4).
26
Stage 1: 2011-2012 Stage 2: 2014 Stage 3: 2016
Data capture and Sharing Advance clinical processes improved outcomes
Stage 1:
Meaningful use criteria focus on:
Stage 2:
Meaningful use criteria focus on:
Stage 3:
Meaningful use criteria focus on:
Electronically capturing health information in a
standardized format
More rigorous health information exchange
(HIE)
Improving quality, safety, and efficiency,
leading to improved health outcomes
Using that information to track key clinical
conditions
Increased requirements for e-prescribing
and incorporating lab results
Decision support for national high-priority
conditions
Communicating that information for care
coordination processes
Electronic transmission of patient care
summaries across multiple settings Patient access to self-management tools
Initiating the reporting of clinical quality
measures and public health information More patient-controlled data
Access to comprehensive patient data
through patient-centered HIE
Using information to engage patients and their
families in their care Improving population health
Figure 10. Stages of Implementing EHR (ONC, EHR Incentives & Certifications, para. 4)
There are many different EHR programs available for healthcare organizations and
physician offices to implement EHR. ONC (2014) provides a list of Ambulatory practice type
and Inpatient practice type EHR programs.
Ambulatory Practice Type is “health care service provided to a patient who is not
admitted to a facility. Ambulatory care may be provided in a doctor’s office,
clinic, the patient’s home, or hospital outpatient department,” (ONC, “Certified
Health IT Product List,” para 2).
Inpatient Practice type is health care service provided to a patient admitted to a
hospital, extended care facility, nursing home or other facility (ONC, 2014
“Certified Health IT Product List,” para 3).
ONC, on its “healthIT.gov website listed out the top 10 EHR systems being introduced by
healthcare organizations, and physicians’ offices as:
27
Vendor Total Installations Percent of Installations
Meditech 1212 25.5 % Cerner 606 12.8 %
McKesson 573 12.1 %
Epic Systems 413 8.7 %
Siemens Healthcare 397 8.4 % Computer Programs and Systems, Inc. (CPSI) 392 8.3 %
Healthcare Management Systems (3M) 347 7.3 %
Self-developed (InfoGard) 273 5.8 %
Healthland 223 4.7 % Eclipsys 185 3.9 %
The CMS provided incentive payments for healthcare organizations and physicians’
offices to change over to electronic systems. These incentive programs intended to facilitate a
quicker change over.
Benefits of Implementing an EHR system
The U.S. government created incentive packages for healthcare facilities that
implemented an EHR system into their facility. If a healthcare facility started using an EHR
system, the facility could receive incentive payments of up to $44,000 from Medicare and
$65,000 from Medicaid per individual physician to help cover the cost of EHR adoption
(Athenahealth, 2009). The sole reason the U.S. passed HITECH Act was to convert medical
records to an electronic format to cut waste, eliminate red tape, and help reduce the need to
repeat expensive medical tests (Athenahealth, 2009, p. 2. para. 2). With this act in place, the
Congressional Budget Office (CBO) estimated that 90% of physicians would adopt an EHR
28
system to their practice by 2014. Figure 11 shows the Medicare incentive payments to physicians
or healthcare facilities that adopted an EHR system into their practice (Athenahealth, 2009).
Figure 11. Medicare incentive payments adopting EHR program (Athenahealth, 2009, p. 3, para. 4).
In 2012, Kimmarie Donahue, Information Assurance Project Lead, and Syed Rahman,
Assistant Professor at University of Hawaii-Hilo, wrote an article, “Healthcare IT: Is Your
Information at Risk?” in the International Journal of Network Security & Its Applications.
Donahue and Rahman discussed the correlation between technology costs and patient care costs
by explaining that health information technology increases patient care by providing more
efficient data storage, transfer of medical records, and the ability for patients to access their
healthcare records online while also increasing the opportunity for loss and corruption of PHI
(Donahue & Rahman). The enactment of the HITECH Act has encouraged the use of these
technologies by requiring providers to adopt electronic health record systems and increase health
information exchange (ARRA, 2009). In 2012, a study on Patient Privacy and Data Security,
conducted by Ponemon Institute LLC found that failing to enforce these rules may cost
healthcare organizations millions of dollars in civil and criminal fines, and could expose
sensitive patient information to criminals (Ponemon, para. 1-5).
29
Comparison of EMR vs. EHR
EMR and EHR are not synonymous and it is incorrect to use them interchangeably.
According to ONC, EMRs are a digital version of the paper charts containing the medical and
treatment history of a patient in the clinician’s office. EMRs allow clinicians to track data over
time, check to see what patients are due and upcoming, checks how patients are doing on certain
parameter such as blood pressure readings, medication, and monitor and improve overall quality
of care (Garrett & Seidman, “EMR vs EHR,” p. 1, para. 3). Fig Gungor (2012), CEO of
OneSource Document Management or onesourcedoc.com, posted on the company’s website, a
history of how EMR appeared before EHR as paper medical records were starting into transition
to electronic format as early as the 1960’s. According to Gungor, the transition started in back in
the 1960’s in response to physicians’ concerns for the increase of medical care records. EHR
systems and third party software programs could store vast amounts of patient data and provide
critical information quickly and accurately resulting in better care to the patient (Gungor, “The
history of electronic,” para. 1).
EHR provides all the same benefits of EMRs but EHRs focus on the total health of the
patient offering the capacity of greater electronic exchange (Garrett & Seidman, “EMR vs EHR,”
p. 2, para. 1). EHRs are designed to share an individual’s EMR with multiple healthcare
providers where all those involved in the patient’s care rely on the same record. Included in this
information are patients’ progress notes, allergies, medications, immunizations, laboratory data,
radiology reports, and other PHI (See Appendix C). Karen Bell (2008), ONC Director of Office
of Health IT Adoption, summarizes that implementation of an EHR system allows patients
access to their own health records anytime online in a secure manner and to track the usage of
30
their medical information. The following list summarizes the differences between EMRs and
EHRs:
Electronic medical records (EMR).
Legal record of the Health Care Provider (HCP)
A record of clinical services for patient encounters in a HCP
Owned by the HCP
Being purchased by enterprise vendors and installed by hospitals, health systems,
clinics, etc.
May have patient access to some results info through a portal but is not interactive
Does not contain other HCP encounter information
Electronic health records (EHR).
Subset of information from various HCP where patient has had encounters
Owned by patient or stakeholder
Community, state, or regional emergency today (RHIOs) or nationwide in the
future
Providers interactive patient access as well as the ability for the patient to append
information
Connect by nationwide Health Information Network
Entire list adapted (Garets and Davis, 2006, HIMSS, “Medical Records vs.
Electronic”, p. 3, para. 3).
Discussion of the Findings
The purpose of this research was to evaluate the United States’ process for guaranteeing
healthcare professionals and hospitals adhere to patients’ rights to privacy law. The methods in
31
how this is accomplished is complex and requires a complete organizational evaluation of risk
threats and countermeasures as HCPs rely more on technology and EHR systems. This
discussion carefully considers the facts collected during this research, highlighting areas of
concern for the security of the United States’ process of protecting healthcare information.
In 1996, HIPAA established privacy and security standards for safeguarding and
protecting the privacy of an individual’s personal health information (DHS, “HIPAA Security,”
2003). These standards placed limits on the access, use, and disclosure of electronic patient data,
which is part of the Privacy and Security Rules within HIPAA. As defined in HIPAA, the three
major safeguards include administrative, physical, and technical components that an organization
must consider in its planning to implement the Security Rule (DHS, “HIPAA Security,” 2003).
This research reviewed internal healthcare INFOSEC policies and due diligence
countermeasures that may be available to reduce risk of data loss. This section will discuss the
findings of information security policies that healthcare organizations are required to follow and
whether these policies are effective in protecting PHI. It will address the complexities of
choosing and implementing an EHR system as required by the HITECH Act and in compliance
to HIPAA. The findings compared existing studies as well as provided a discussion on
limitations, potential weaknesses, and problems of the study.
Threats to healthcare organizations have become increasingly more difficult to control.
This is due to lack of resources including technologies and trained personnel in addressing
security and privacy risks. Healthcare organizations are required to follow policies regarding the
security of EHR, yet data breaches have steadily increased. Most of the breaches were attributed
to employee negligence and carelessness. Lost or stolen computing devices were often the cause
of the data breach.
32
The number of healthcare organizations and physician offices adopting EHR systems has
increased with the majority taking advantage of the Medicare and Medicaid EHR Incentive
Programs. As part of the HITECH ACT, the federal government has invested billions of dollars
for this incentive program to encourage health organizations and physician offices to adopt an
EHR system. The federal government also allocated billions more to help train healthcare staff
members and assist in setting up EHRs that would enable the health data historically sequestered
in paper files to be shared to improve health care quality. This trend is impressive considering
smaller practices do not have the resources that larger institutions have, yet both are required to
follow HIPAA’s privacy and security safeguards to reduce risk to PHI.
Meaningful Use
The CMS, on its website “cms.gov,” defined meaningful use as healthcare organizations
and physician offices that use EHR technology to improve patient care and meet 18 of 22
requirements. Those that meet the requirements may receive financial incentive payments (CMS,
2012). HHS (2011) explained that eligible professionals (EPs) and hospitals had to demonstrate
meaningful use of EHR to qualify for incentive payment through CMS. Eligible EPs and
hospitals that qualified for Medicaid EHR incentive program did not need to meet the same
requirements in the first year of participation, but had to adopt or upgrade to an EHR system to
receive incentive payments. The meaningful use program was set to evolve in three stages over a
five-year span from 2011 through 2016. In order for hospitals and physicians’ offices to continue
receiving incentive payments through CMS, they must provide continuing education for their
professional staff on data entry and the handling of PHI into EHR system. Hospitals and
physicians’ offices that have EHR systems in place, training is required again for any updates
33
made to existing EHR systems that change the way professional staff, such as nurses or doctors
input and maintain PHI data in patients’ records.
These steps are especially important to follow when a nurse or doctor leaves a patient alone in a
room. In order to protect the security and privacy of all patients’ PHI data they must either log
out of the EHR system or lock the screen as they leave the room. Figure 12 shows the three
stages to follow in order to receive incentive payments.
Stage 1: 2011-2012 Stage 2: 2014 Stage 3: 2016
Data capture and Sharing Advance clinical processes improved outcomes
Stage 1:
Meaningful use criteria focus on:
Stage 2:
Meaningful use criteria focus on:
Stage 3:
Meaningful use criteria focus on:
Electronically capturing health information in a
standardized format
More rigorous health information exchange
(HIE)
Improving quality, safety, and efficiency,
leading to improved health outcomes
Using that information to track key clinical
conditions
Increased requirements for e-prescribing
and incorporating lab results
Decision support for national high-priority
conditions
Communicating that information for care
coordination processes
Electronic transmission of patient care
summaries across multiple settings Patient access to self-management tools
Initiating the reporting of clinical quality
measures and public health information More patient-controlled data
Access to comprehensive patient data
through patient-centered HIE
Using information to engage patients and their
families in their care Improving population health
Figure 12. Stages of Implementing EHR (ONC, EHR Incentives & Certifications, para. 4)
In order to provide the best possible care to the patient, both nurses and doctors must
document everything they discussed with the patient at the time of the visit and enter it in the
EHR system. Training and ongoing education in this area should stress the importance of
documenting data in the PHI record in the EHR system. In stages two and three patients have the
ability to view all their information in the EHR system just by going to a secured website hosted
by either the hospital or the physician office.
Healthcare organizations want patients to get more involved with this area. If a patient
needs to renew a prescription, they can use the secured website to ask for a refill instead of
34
calling the physician’s office. Patients have the ability to schedule appointments as well as read
the doctor’s notes that are in their PHI file. Patients can also send emails to their doctor if they
see something wrong in the PHI file or if they want something added to their PHI file. This is a
good use of technology and the HITECH Act, allowing patients to get more involved with their
own care. In stage two, "Advance clinical processes,” healthcare organizations will be able to
refill patients’ medications electronically to their pharmacy using EHR system.
There are EHR systems for healthcare organizations to choose from depending on the
organization’s needs and purposes. Both ambulatory and inpatient departments are using EHR
systems to improve quality, safety, and efficiency, leading to improved healthcare for patients.
Initial training and maybe even more importantly continuing education for professional staff in
these departments is a requirement, especially since EHR systems are improving daily.
In addition to training, strong privacy and security policies at healthcare organizations
must stress that PHI must stay confidential. All professional staff members should sign an
acknowledgment letter of understanding stating that they will follow the privacy and security
policies that are in place at their facility to prevent data breaches. If accidental or inappropriate
sharing of PHI occurs, the professional staff that caused the data breach is accountable for their
actions and disciplined. It is important to realize that all hospitals, physician offices, healthcare
insurance companies, and pharmacies must adhere to HIPAA.
Healthcare organizations, healthcare insurance companies, physicians’ offices, and
pharmacies must continue to practice meaningful use so they are able to provide better quality
care for patients. Improvements to documenting PHI into an EHR system must be brought
forward to administrative staff of the healthcare organization who in turn will notify the vendor
so that the vendor may implement the new steps into their EHR system, after determining the
35
validity and security of the request. Once the EHR is implemented, professional staff will require
new training on the updates that have occurred. This step is often overlooked causing a new
security exposure.
Risks to Patient Electronic Data - Data Breaches
Patient records are the most important assets within an EHR system. The research
revealed the most commonly associated risk to PHI is lost or stolen patient and employee
records. Figure 13 illustrates the type of data that was lost or stolen during the years of 2011 and
2013. Risks to PHI continue to rise with technology quickly advancing. Healthcare facilities and
physicians are using mobile devices to view patient information wirelessly via mobile devices.
The advancement of technology creates a new area of risk, even beyond oversights, and
mistakes. The government should address these areas as part of an overall PHI data protection
plan.
Figure 13. Types of PHI Lost or Stolen in 2011-2013 (Ponemon, 2014, p. 6, para. 1).
36
Employees that have unauthorized access of patient’s medical file, insurance record, and
billing information can negatively affect a patient and the healthcare organization, increasing the
risk of financial and medical identity theft. Patients’ information can easily be changed or stolen.
Careless doctors or nurses who leave a patient’s record open and unattended while leaving the
room are putting PHI at risk. This patient could gain access to not only his record but access to
other patient records, taking advantage of these high stress environments, and steal a patient’s
PHI with a mobile device camera, using it as seed for other crimes such as identity theft or by
selling it on the black market.
Extra precautions for protecting PHI are required. Nurses and physician should have
access to only their patients’ medical records. Placing more emphasis on limited access will
decrease the availability of breach surface. With training, the healthcare staff will understand
their role and responsibility to access only the data necessary to their job tasks, thereby reducing
the attack surface for the entire national EHR system. Figure 14 shows patients’ names, dates of
birth, and demographics were among the top three categories of security breaches in the
healthcare field.
Figure 14. Information compromised in a security b reach (“ HIMSS,” 2012).
37
When an individual logs into the U.S. government healthcare web site, “HealthCare.gov,”
to view different types of healthcare insurance they could qualify for, they must enter in their
own personal information in order to find out what best healthcare plan will fit their needs.
Research conducted by cyber security experts, has indicated that once the information goes out
over the system, it is vulnerable, and the HealthCare.gov security standards are weak, needing
improvement. The North Carolina client who used the Healthcare.gov web site and then received
letters of another client from South Carolina demonstrated the lack of best practice for security
and data handling, contrary to statements about security from HHS.
The most concerning fact discovered in this research, regarding data breaches was the
fact that the U.S. government exempted itself from reporting PHI data breaches. Healthcare
organizations, states, and third party vendors must adhere to HIPAA and report data breaches.
Why is the U.S. government any different? In order to correct, the problem of data breaches
going forward it is important to collect and analyze data to gain an understanding of the trending,
frequency, types, and other important details about the breaches that have occurred. In order to
collect all of the necessary data for accurate reporting, everyone using the EHR system should
abide by HIPAA. The government created this law to protect the privacy and security of
American citizens’ PHI records. The government is no different and it too should report any
breaches that occur.
Cases presented in the literature review section demonstrated the insecurity of
government web sites as well as HHS’ failed promises that HealthCare.gov was secure and
protected users’ PHI. Experts in the field of web site security have deemed HealthCare.gov an
insecure sight. The well-known hacker Kevin Mitnick warned U.S. citizens not to use
HealthCare.gov until the insecurities are fixed. Security experts David Kennedy and Fred
38
Change testified before the Senate saying that HealthCare.gov is at risk and the website could be
hacked or already has been hacked. The fact that the government required security policies and
placed strict guidelines on Healthcare organizations, states, and third party vendors, but
exempted itself undermines the whole purpose of HIPAA in the first place. The U.S. government
should be accountable for data breaches like any other organization, particularly since the
government is the largest custodian of PHI in the EHR system.
Reducing Risk of Data Breaches
The sole reason the U.S. passed HITECH Act was to convert medical records to an
electronic format to cut waste, eliminate red tape, and help reduce the need to repeat expensive
medical tests. More measures should address threats that will reduce risk for businesses in the
healthcare field, healthcare facilities, and physicians’ offices. The increase in use of technology
to create an environment of easier patient record access resulted in an increase of Internet usage
to access PHI. Individuals can log into a website run by a healthcare facility to access their
medical information. Patients use web sites to ask for renewals of medications they are taking,
schedule office visits, and look at their last doctor visits. To make the individual feel secure
about their data falling into the wrong hands, the healthcare facility should implement a policy in
which the individual must change their password at least every 45-90 days months. The
government has the responsibility of educating patients about the dangers of accessing PHI
online, rather than promising security it cannot deliver. The plan for educating patients about
their role in securing their own PHI should be a requirement in the planning and implementation
of an EHR.
Negligence continues to be at the root of information data breaches with the primary
cause stemming from lost or stolen computing devices, and the second most contributing factor
39
employee mistakes or unintentional actions. Annual or periodic awareness training on HIPAA’s
privacy and security requirements would remind healthcare organizations and physician offices
of the importance of HIPAA, and their role in safeguarding the national EHR system. Another
method of reducing the attack surface is to require PHI stored on EHR system encryption on
transit data sent to and from departments, hospitals, physician offices and on hard drives of all
computing systems. If a computer or mobile device becomes lost or stolen, the data will be
useless unless it can be decrypted.
Training is lacking in the healthcare field for employees who access PHI. The
government created the HIPAA guideline requirements, and in turn has the responsibility of
providing more training to help professional staff that work in the healthcare field understand
their roles and the importance following HIPAA Security and Privacy Rules. In addition, the
same staff must be educated to understand why it is important to have a strong security policy in
place. Employee training is very important to the overall protection of PHI. This research found
a lack of effectiveness in employee training, ranked second in primary causes of data breaches.
HIPAA Privacy and Security Rules provide basic countermeasures for all healthcare entities but
should only serve as baseline requirements. These are the stepping-stones for healthcare entities
to either create or update their internal policies. Once the internal policies are in place, healthcare
entities should implement the new or revised policies following complete analysis of business
operations with meaningful time focused on privacy and security training for employees. Policies
and procedures created to minimize risk to PHI will be ineffective without full support from
management. Healthcare entities should have at least one individual, and a supporting
committee, outlined in a written policy, for reviewing and auditing privacy and security
40
practices. The implementation of an EHR system further demands this attention , otherwise an
organization will fall victim and become another data breach statistic.
Smaller healthcare facilities and physicians’ offices lack the resources available to
hospitals. This includes capital for upgrading information technology and providing the support
staff needed for installation and maintenance. These small medical offices are also unable to hire
full time information security professionals and are often uncertain where to begin when
choosing and implementing an EHR system. Government and third party interest groups have
provided free resources for learning how to protect and secure PHI. NIST’s Guide for
Conducting Risk Assessments (SP 800-30) and HealthIT’s Guide to Privacy and Security of
Health Information are just two examples of free resources that are available. Other types of
resources are available using Internet search engine to look up specific questions about HIPAA
Privacy and Security Rules , and the HITECH Act.
Mobile devices and virtualization are two technologies growing in use within healthcare
facilities. While these methods provide affordable and convenient solutions, they also present
additional risks. Research has shown the use of virtualized EHR systems may be the best option
for physicians’ offices, but the risks of transmitting and storing of PHI should be determined
before selecting an EHR system. Virtualized EHR systems rely on the Internet for transmitting
PHI, which comes with inherent risks of transmitting data online and allowing remote
connections. A thorough security plan includes conducting a risk analysis assessment followed
by instituting appropriate countermeasures prior to implementation.
41
Future Research Recommendations
Cloud Storage for PHI
An important area not included in this research was the privacy and security of PHI data
when healthcare facilities and physicians’ offices use the cloud (remote data storage services) to
back up patients’ information. In corporate environments, cloud storage as a backup solution is
more cost effective than hiring expert IT staff and maintaining local means of storage. While
cloud storage is an accepted method of managing large amounts of data, it could be putting PHI
data at greater risk, especially if encryption practices are not in use. Proposed research questions:
Who is responsible when a data breach occurs from cloud storage? Are there documented cases
of PHI data breaches while stored in the cloud? If so, was the vendor hosting the data or the
healthcare facility or physician’s office responsible for reporting the data breach? What
guidelines does HIPAA offer in reference to employing a cloud storage solution for PHI?
Danger to National Security
A nation state could use aggregated PHI from the national EHR system to leverage an
attack on the U.S. Advanced training for those responsible for collecting and maintaining the
security of the data is necessary to ensure they understand the importance of protecting national
PHI. Covered entities such as hospitals, physician offices, health insurance companies, and
pharmacists should be more specific about what PHI is used, how PHI is used, and by whom.
Notices of privacy practices need to be more meaningful and data stewardship needs to extend to
PHI of non-covered entities in PHI.
Currently (2014), there are no standards in place limiting PHI sent between entities,
assuming the complete PHI record is necessary to deliver the best care. For that purpose, all PHI
is transmitted to hospitals, physicians’ offices, health insurance companies, and pharmacists.
42
First, there should be policies established which provide what information within PHI is
transmitted in particular circumstances and who is authorized to view the information. Second, to
avoid more breaches of PHI data, encryption of PHI data should be a standard. Cyber criminals’
knowing that any PHI data they might steal requires decryption, thereby reduces the value of the
data, and would limit the attacks on PHI data or at least add another layer of security. These
measures would result in better privacy and security of PHI data. What encryption method is best
for protecting PHI data and EHR systems? What should be included in government, public, and
private awareness campaigns about protecting PHI? What would be the best method of delivery
for such a campaign? Should children be taught in school about protecting their PHI?
Conclusion
EHR systems are capable of storing and transmitting millions of patient records, which
may contain an individual’s financial information, medical diagnoses, and prescribed medicine.
Ongoing research has confirmed that risk to PHI is growing as healthcare facilities and physician
offices migrate from paper to electronic medical records. Healthcare facilities, and all BA
managing PHI, are independently responsible for securing these records. Research has shown the
vast majority failed at maintaining security. The majority of these failures are due to employee
negligence, lack of training, and criminal intent. However, proper measures can reduce the
associated risks. Appropriate training of staff performed initially, followed by continuing
education is key to reducing the risk.
The purpose of this research was to evaluate the United States’ process for guaranteeing
healthcare professionals and hospitals adhere to patients’ rights to privacy law. Overall, it
appears the government has made a large effort to ensure its states, healthcare facilities,
physicians, and pharmacists adhere to a best practices guideline for protecting patients’ rights to
43
privacy and the security of PHI. However, the research findings were most concerning regarding
how the U.S. government is handling its own PHI breaches. The U.S. Federal government
programs are most effective when incorporating checks and balances. When it comes to PHI, the
U.S. government exempted itself from reporting healthcare data breaches, thereby skewing any
efforts to measure the effectiveness of its own HIPAA laws. The government created the HIPAA
guidelines for healthcare facilities and physicians’ offices to follow ensuring protection of
patients’ rights and privacy, yet the government is not following its own guidelines. The U.S.
government must reconsider and follow its own HIPAA guidelines to start reporting EHR data
breaches just like any other entity.
44
References
American Recovery and Reinvestment Act of 2009, (2013, 07, 31). Retrieved from
http://www.gpo.gov/fdsys/pkg/BILLS-111hr1enr/pdf/BILLS-111hr1enr.pdf
Athenahealth. (2009, March). A Summary of the HITECH Act Whitepaper. Retrieved from
http://www.athenahealth.com/_doc/pdf/HITECH_Fact_Sheet_Whitepaper.pdf
Bell, K. (2008, 04, 28). Defining Key Health Information Technology Terms. Retrieved from
http://www.nacua.org/documents/HealthInfoTechTerms.pdf
Bensur, Gabrielle & Brokamp, Jennifer. (2014, 04, 29). Riley v. California. Retrieved from
http://www.law.cornell.edu/supct/cert/13-132
Boehm, E. (2013, 12, 05). Feds not required to report security breaches of Obamacare exchange
website.Retrieved from http://watchdog.org/118873/obamacare-exchange-security/print/
Bowen, Pauline, Hash, Joan, and Wilson, Mark. (2006, October). Information Security
Handbook: A Guide for Managers. Retrieved from NIST National Institue of Standards
and Technology, Technology Administration U.S. Department of Commerce:
http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf
Collins, T. a. (n.d). Canadian Privacy Legislation and the Cross-Border transfer of personal
information. Retrieved from airberlis.com:
http://www.airdberlis.com/Templates/Articles/articleFiles/454/Article%20-
%20Cross%20Border%20Transfer%20of%20Personal%20Health%20Information.pdf
Commins, J. (2010, October 8). DOD's EHR Failure Due to Poor Planning, Says GAO.
Retrieved from HealthLeaders Media: http://www.healthleadersmedia.com/page-1/LED-
257477/DODs-EHR-Failure_Due-to-Poor-Planning-Says-GAO##
Crosby, J. (2013, 09, 13). Errant e-mail creates security breach at MNsure. StarTribune
45
business. Retrieved from http://www.startribune.com/business/223564521.html
Department of Health and Human Services, Office of the National Coordination for Health
Information Technology (2012, 07, 25). Guide to Privacy and Security of Health
Information. Retrieved from
http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide-
chapter-2.pdf
Department of Health and Human Services, Office of the National Coordination for Health
Information Technology (2007, 09, 11). Basics of Risk Analysis and Risk Management.
Retrieved from
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf
Department of Health and Human Services, Office of the National Coordination for Health
Information Technology. (2012, 07 26). 10 Step Plan for Meeting Privacy and Security
Portions of Meaningful Use. Retrieved from HealthIT.gov:
http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide-
chapter-3.pdf
Department of Justice. (2006, 01 04). Highlights of the USA Patriot Act. Retrieved from
Preserving Life & Liberty: http://www.justice.gov/archive/ll/what_is_the_patriot_act.pdf
Donahue, K. & Rahman, S. (2012, 09, 29). Healthcare IT: Is Your Information at Risk?
Retrieved from http://airccse.org/journal/nsa/0912nsa08.pdf
Eastwood, B. (2013, July 01). CIO. Retrieved from Why Healthcare Providers Aren't Happy
with EHR Systems:
http://www.cio.com/article/735754/Why_Healthcare_Providers_Aren_t_Happy_With_E
HR_Systems
46
Fleeter, T. M., and Sohn, H. (2012, 8). Potential Liability Risks of Electronic Health Records.
Retrieved from AAOS American Academy of Orthopaedic Surgeons:
http://www.aaos.org/news/aaosnow/aug12/managing9.asp
Foxnews. (2014, 01, 16). World's greatest hacker calls Helathcare.gov security 'shameful'.
Retrieved from http://www.foxnews.com/tech/2014/01/16/world-greatest-hacker-calls-
healthcaregov-security-shameful/
Fund, J. (2013, 12, 23). Hiding the Hacking at HealthCare.gov. National Review Online.
Retrieved from http://www.nationalreview.com/article/366964/hiding-hacking-
healthcaregov-john-fund
Garrett, P. and Seidman, J. (2011, 01, 04). EMR vs EHR - What is the Difference? Retrieved
from http://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/emr-vs-
ehr-difference
Garets, D and Davis, M. (2006, 01, 26). Medical Records vs. Electronic Health Records: Yes,
There is a Difference. Retrieved from https://www.himssanalytics.org/docs/WP_EMR_EHR.pdf
Godart. (2014, February 4). 2013 Breach Report: Protected Health Information (PHI) . Retrieved
from Redspin Meaningful Healthcare IT Security: http://www.redspin.com/docs/Redspin-
2013-Breach-Report-Protected-Health-Information-PHI.pdf
Gunfor, F. (2012, 05, 10). The History of Electronic Health Records Software. Retrieved from
http://www.onesourcedoc.com/blog/bid/82838/The-History-of-Electronic-Health-
Records-Software
Harris, Kathy & Bluey, Rob. (2013, 11, 02). Exclusive: HealthCare.gov Users Warn of Security
Risk, Breach of Privacy. The Daily Signal. Retrieved from
47
http://dailysignal.com/2013/11/02/exclusive-healthcare-gov-users-warn-of-security-risk-
breach-of-privacy/
HealthIT.gov. (2011). EHR Incentives & Certifications. Retrieved from
http://www.healthit.gov/providers-professionals/how-attain-meaningful-use
HealthIT.gov. (2014). Benefits of Electronic Helath Records (EHR). Retrieved from
HealthIT.gov: http://www.healthit.gov/providers-professionals/benefits-electronic-health-
records-ehrs
HIPAA Administrative Simplificatoin Statute and Rules (n.d). U.S. Department of Health &
Human Services. Retrived on January 23, 2013 from,
http://www.hhs.gov/ocr/privacy/hipaa/adminis trative/ HRSA.gov. (2014). What are the privacy and security risks of electronic v. paper health records.
Retrieved from
http://www.hrsa.gov/healthit/toolbox/HealthITAdoptiontoolbox/PrivacyandSecurity/secu
rityrisks.html Horowitz, J. (2009, 11 16). HRSA U.S. Department of Health and Human Services Health
Information Technology and Quality Improvement. Retrieved from What chages in
HIPPA compliance requirments were made by the HITECH Act?:
http://www.himssanalytics.org/docs/ID_Experts_111509.pdf
Kleyman, B. (2013, 07, 23). Healthcare data breaches: Reviewing the ramifications. Retrieved
from http://healthsecurity.com/2013/07/23/healthcare-data-breaches-reviewing-the-
ramifications.
48
Levinson, Daniel. (2013, December). Not all recommended fraud safeguards have been
implemented in hospital EHR Technology. Retrieved from Department of Health and
Human Services: http://oig.hhs.gov/oei/reports/oei-01-11-00570.pdf
Litt, Robert. (2013, 07,18). Privacy, Technology & National Security. Retrieved from
http://icontherecord.tumblr.com/post/57724442606/privacy-technology-national-security-
an McCann, Erin. (2014, 02, 06). HIPAA data breaches climb 138 percent. Retrieved from
http://www.healthcareitnews.com/news/hipaa-data-breaches-climb-138-percent
McCann, Erin. (2013, 12, 19). HIPAA breaches in top 5 security worries. Retrieved from
http://www.healthcareitnews.com/news/hipaa-breaches-among-top-5-security-concerns- new-year
Nichols, R. (2005, 01, 06). Statistical Analysis in Information Assurance. National Defense
Univerity. Retrieved from www.cisr.us/events/downloads/guests/ryan_d_05.ppt
Ollove, Michael. (2014, 02, 07). The Rise of Medical Identity Theft. The PEW Charitable Trusts.
Retrieved from http://www.pewtrusts.org/en/research-and-
analysis/blogs/stateline/2014/02/07/the-rise-of-medical-identity-theft
NIST. (2010, 02), Guide for Applying the Risk Management Framework to Federal Information
Systems. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37- rev1-final.pdf
Ponemon Institute, LCC. (2014, 03, 11). Fourth Annual Benchmark Study on Patient Privacy and
Data Security. Retrieved from
http://lpa.idexpertscorp.com/acton/attachment/6200/6200:f-
012c/0/s-0083-1403/-/l-19c9/l-19c9:808/?utm_medium=email&utm_source=Act-
49
On+Software&utm_content=email&utm_campaign=Fourth%20Annual%20Ponemon%2
0Report
%20Download&utm_term=You%20can%20download%20the%20report%20here.
Rodriguez, Leon. (2011, 12, 12). Privacy, Security, and Electronic Health Records. Retrieved
from http://www.healthit.gov/buzz-blog/privacy-and-security-of-ehrs/privacy-security-
electronic-health-records/ Roller, Emma. (2013, 06, 07). This is What Section 215 of the Patriot Act Does. Retrieved from
http://www.slate.com/blogs/weigel/2013/06/07/nsa_prism_scandal_what_patriot_act_sect
ion_215_does.html
Stoneburner, G., Guguen, A., & Feringa, A. (2002). NIST SP 800-30: Risk Management Guide
for Information Technology Systems. Retrieved from
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Teitlebaum, C. a. (2008, 09, 05). Aird and Berlis LLP. Retrieved from Canadian Privacy
Legislation and the Cross-Border Transfer of Personal Information:
http://www.airdberlis.com/Templates/Articles/articleFiles/454/Article%20-
%20Cross%20Border%20Transfer%20of%20Personal%20Health%20Information.pdf
U.S. Department of Health & Human Services. (2003, 05). Health Information Privacy.
Retrieved from HHS.gov:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
U.S. Department of Health & Human Services. (2009, November). Health Information Privacy.
Retrieved from HHS.gov:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcement
ifr.html
50
U.S. Department of Health and Human Services. (2009, 10 30). Health Information Privacy.
Retrieved from HITECH Act Enforcement Interim Final Rule:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf
U.S. Department of Health and Human Services. (2003, 04, 03). Business Associates. Retrieved
from
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.h tml
U.S. Department of Justice, Office of Justice Programs. (2001, 05, 27). Justice Inforamtion
Sharing. Retrieved from Uniting and Strengthening America by Providing Appropriate
Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001:
http://www.gpo.gov/fdsys/pkg/BILLS-112s990enr/pdf/BILLS-112s990enr.pdf
US Congress. (1996, 9, 20). US Government Printing Office. Retrieved from Health Insurance
Portability and Accountability Act of 1996: http://www.gpo.gov/fdsys/pkg/CRPT-
104hrpt736/pdf/CRPT-104hrpt736.pdf
Vaidya. (2013, March 06). Becker's Hospital CIO. Retrieved from Survey: EHR User
Satisfaction Has Fallen by 12% from 2010:
http://www.beckershospitalreview.com/healthcare-information-technology/survey-ehr-
user-satisfaction-has-fallen-by-12-from-2010.html
Vaidya. (2013, February 28). Becker's Hospital CIO. Retrieved from 9 Areas of Improvement
for EHR Systems: http://www.beckershospitalreview.com/healthcare-information-
technology/9-areas-of-improvement-for-ehr-systems.html
51
Withrow, S. (2010, Aug). How to Avoid a HIPPA Horror Story. The HITECH Act Has Expanded
the Financial Risk for Hospitals that do not meet the Privacy and Security Requirments
under HIPAA, p. 64.
52
Appendix A – Impact Results of EHR data breaches in Healthcare organizations
Confidentiality
Disclosure of protected health information (PHI)
Access to credit card data used for committing financial fraud
Access to Social Security numbers used for identity theft
Disclosure of sensitive or proprietary research information
Integrity
Data entry errors
Data alteration (intentional or unintentional)
Data synchronization errors
Availability
Business interruption
Denial of service
Loss of productive time and operational delays
Replacement of lost information
Opportunity (financial)
Loss of business
Loss of competitive advantage or research grant
Equipment repair or replacement
Increase in insurance premiums
53
Reputation
Loss of patient confidence
Decreased employee morale
Loss of faculty confidence
Litigation
Criminal or civil case
Regulatory fines or criminal punishment for noncompliance
Countermeasures is described in NIST SP800-30, (2012) where a risk assessment report is a
management report given to senior management that will understand the risk and allocate
resources to reduce and correct potential losses.
54
Appendix B – Example of Risk Assessment Report
EXECUTIVE SUMMARY
I. Introduction
. • Purpose
. • Scope of this risk assessment
Describe the system components, elements, users, field site locations (if any), and any other
details about the system to be considered in the assessment.
II. Risk Assessment Approach Briefly describe the approach used to conduct the risk assessment,
such as—
. • The participants (e.g., risk assessment team members)
. • The technique used to gather information (e.g., the use of tools, questionnaires)
. • The development and description of risk scale (e.g., a 3 x 3, 4 x 4 , or 5 x 5 risk-level
matrix).
III. System Characterization
Characterize the system, including hardware (server, router, switch), software (e.g., application,
operating system, protocol), system interfaces (e.g., communication link), data, and users.
Provide connectivity diagram or system input and output flowchart to delineate the scope of this
risk assessment effort.
IV. Threat Statement
55
Compile and list the potential threat-sources and associated threat actions applicable to the
system assessed.
V. Risk Assessment Results
List the observations (vulnerability/threat pairs). Each observation must include—
. • Observation number and brief description of observation (e.g., Observation 1: User
. system passwords can be guessed or cracked)
. • A discussion of the threat-source and vulnerability pair
. • Identification of existing mitigating security controls
. • Likelihood discussion and evaluation (e.g., High, Medium, or Low likelihood)
. • Impact analysis discussion and evaluation (e.g., High, Medium, or Low impact)
. • Risk rating based on the risk-level matrix (e.g., High, Medium, or Low risk level)
. • Recommended controls or alternative options for reducing the risk.
VI. Summary
Total the number of observations. Summarize the observations, the associated risk levels, the
Recommendations, and any comments in a table format to facilitate the implementation of
recommended controls during the risk mitigation process. Department of Health and Human
Services (2007) mentions that risk is not a single factor or event, but rather a combination of
factors or events that, if they occur, may have an impact on the organization (p. 5, para. 2).
56
Appendix C – HIPAA’s 18 PHI Identifiers’
1. Names: First Name, Last Name
2. Zip Codes: All geographics subdivisions smaller than a State, including street address, city
count, precinct, zip code, and their equivalent geocodes, exceopt for the initial three
digits of a zip code if, according to the current publicly available data from the Bureau of
the Census; (1) The geographic unit formed by combining all zip codes with the same
three initials digits contains more than 20,000people; and (2) The initial three digits of a
zip code for all such geographic units containing 20,000 of or fewer people is changed to
000.
3. Dates (MM/DD/YYYY): All elements of dates (except year) for dates directly related to an
individual, including birth date, admission date, discharge date, date of death, and all ages
over 89 and all elements of dates (including year) indicative of such age, except that such
ages and elements may be aggregated into a single category of age 90 or older.
4. Phone #: Telephone numbers
5. Fax #: Fax numbers
6. E-Mail: Electronic email addresses
7. SSN: Social Security Number
8. MRN: Medical record numbers
9. Insurance #: Health plan beneficiary numbers. Note: HICN number includes the SSN# and
the alpha character. (HICN=Medicare Health Insurance Control Number)
10. Credit Card #: Account numbers, e.g., financial account numbers, credit card numbers,
debit card number, debit card number, etc.
11. License # or DL#: Certificate / License number (Example: Passport #)
57
12. Vehicle Identifiers: Vehicle identification and serial numbers, including license plate
numbers
13. Device #: Device identifiers and serial numbers
14. URL: Web Universal Resource Locators (URLs)
15. IP #: Internet Protocol (IP) address numbers
16. Biometrics: Biometric identifiers, including finger and voiceprints
17. Photos: Full face photographic images and any comparable images
18. Other Codes: Any other unique identifying number, characteristics, or code
(Office of Statewide Health Planning and Development (OSHPD) and Committee for the
Protection of Human Subjects (CPHS), 2013, “Information about HIPAA definitions and 18
Identifiers,” p. 1)