Focusing on Security without Compromising Success

30 January 2012 | Dr. Dennis Schmuland, Chief health strategy officer, U.S. Health and Life Sciences, Microsoft
With the rising use of protected health information and increasingly stringent regulatory demands, the topic of security and compliance has become a critical issue for the healthcare industry. Health plans are faced with the challenge of maintaining high standards to protect health data and information while simultaneously continuing to drive superior health outcomes for patients and maintain a competitive edge in the market. Expectations around how data is protected are becoming increasingly more demanding and enforcement efforts are going to be more active than in the past. But with so much time and energy put toward security and compliance, what happens to providing good service to patients?
With so many questions out there, we’re joining with our partner, Washington Publishing Company (WPC), to co-host a two-part webcast to discuss “What's Missing from Your Security and Compliance Efforts?”. Our first webcast on this topic will focus on how health plans can address security and compliance concerns and requirements without compromising business success. We recently sat down with security and compliance expert, Eric Mueller, President of WPC Services to get his thoughts on why all this matters:
Why should security and compliance be a critical priority for health plans in 2012?
Mueller: Recent healthcare developments are changing how health plans use protected health information (PHI). New data processing requirements such as 5010 and ICD-10 impact the way systems, processes, and people access and manage PHI. Recent initiatives like Meaningful Use and Accountable Care Organizations require greater use of health information exchanges (HIE) and electronic health records (EHR). In addition, HITECH includes more stringent security protocols along with increased enforcement of HIPAA Privacy and Security Rules and Breach Notification standards. As healthcare entities are required to process an ever increasing amount of electronic PHI, expectations around how that data is protected will become progressively more demanding.
Why is ICD-10 being compared to Y2K concerns?
Mueller: The scope of the change from ICD-9 to ICD-10 is the biggest thing that healthcare has seen. The change to ICD-10 is characterized as the health industry’s equivalent of Y2K to the 10th power. The complete ICD-10 code set is nearly ten times larger than the ICD-9 code set it is replacing. Further complicating the federally mandated deadline is the fact that before ICD-10 can be put into production, the switch from HIPAA 4010A1 to HIPAA 5010 must be in place. The Y2K problem centered on the practice of storing a year as two numerical characters instead of four. The comparison to the ICD-10 challenge is appropriate; the ICD-10 codes are larger than the ICD-9 values, but the comparison stops there. The difference in length between ICD-9 and ICD-10 is trivial compared to the sheer volume of new values. Other countries have already switched to ICD-10, but the version the U.S. has chosen to implement is more complex and granular. The increased number of codes, the change in code length, combined with considerably more code specificity means the replacement of ICD-9 requires significant planning, system modifications or upgrades, along with training and other investments. Potentially all departments and their support systems in all U.S. health organizations, providers and plans alike, are affected.
What are some key points health plans should consider as they begin to prepare for the future?
Mueller: Health plans should invest in confirming PII and PHI is sufficiently protected. In our experience with PII and PHI, we find on average over one hundred locations housing data that was previously unknown to the customer. These areas include real data in development systems (both locally and offshore) and numerous unapproved copies of data throughout the organization. Health plans should scan and discover how PHI and PII is stored, accessed and shared across the enterprise. Once the protected information is located, processes should be reviewed. Identify who accesses PHI and PII as well as when, where, why, and how it is accessed both within the organization and by partners and vendors. Evaluate how technology, such as systems/networks, mobile devices/tablets, and social media, should be secured to promote HIPAA/HITECH compliance. Finally, provide training programs, policy/process review and input, and social engineering recommendations to increase employee awareness of responsibility for protecting PHI and PII security.
Are there any major pitfalls health plans should be made aware as they work to address security and compliance?
Mueller: The two most important security concerns for healthcare entities are (1) compliance with HIPAA/HITECH privacy and security regulations and (2) an increase in cyber-attacks in healthcare along with corresponding preparations for reacting to data breaches. HITECH has modified HHS’s authority to impose penalties for violations, significantly increasing the penalty amounts for violations of the HIPAA rules. The HHS Office of Civil Rights (OCR) and state attorneys general will be much more active than enforcement efforts in the past in auditing and fining entities for HITECH violations. A pilot audit program has already begun and will target 150 covered entities in the next year. Throughout 2012, HHS OCR will be staffing up resources as well as training state attorneys general for a significant escalation in audits at the completion of the pilot program. HITECH essentially requires business associates to act as covered entities. Because a covered entity with which a business associate has contracted has ultimate responsibility for the privacy and security of the PHI of its patients or clients, existing BAAs may require review and adjustments to protect the covered entity sufficiently.
While cyber-attacks have traditionally focused on the finance industry, recent indications are that hackers and cyber-crime will increase more than 30% in 2012 for the healthcare industry. These indications are fueled by recent surveys among healthcare providers showing that 90% have experienced a data breach. Most healthcare providers have neither the experience nor the controls to thwart these attacks. Healthcare entities should have a comprehensive plan to shield their organizations from legal or civil action from the inevitable breach of PHI. Upon recognizing a breach, you must respond by confirming a breach occurred and PHI was compromised, containing the source of the breach, correcting the cause of the breach and reporting the breach.
 Planning should include data forensics that determine how the breach occurred, who was involved, what data was compromised, and whether controls were effective. HITECH imposes the strictest notification rules to date. You must be prepared to craft a notification letter to the affected individuals to meet the HITECH Act and state law requirements—as well as notify state attorneys general and HHS. Communication with the media and press releases may also be necessary.
Dr. Dennis Schmuland
Chief health strategy officer, U.S. Health and Life Sciences, Microsoft