The top issue on a healthcare lawyer’s list of concerns is not what you might think. It’s not medical malpractice, disgruntled employees, or healthcare regulations. According to Consero Group’s 2017 Healthcare General Counsel Report, the issue keeping lawyers at mid- to large-sized healthcare organizations up at night is – data security.
Robert Azar, general counsel of Norton Healthcare, a Midwestern U.S. healthcare system with 210 hospitals, clinics, and other locations, told The National Law Journal that smartphones – and all the data they produce and store – are a key risk issue for lawyers. It is practically impossible to control patients and families taking cellphone pictures and texting or posting them on social media. Regardless of the number of policies a hospital implements, it is a challenge to prevent doctors (including independent doctors with hospital privileges) and other staff members from using personal mobile devices to text or communicate patient information.
“The ability to control those [personal devices] is fairly limited,” Azar said. “It’s created a situation where most people feel it’s inevitable that something bad is going to happen.”
He has a good point. The Identity Theft Resource Center says that in 2016 the healthcare industry was responsible for 34.5% of breach incidents and 43.6% of all exposed records (more than any other industry studied).
There is a good chance that the “something bad” Azar refers to will include a serious financial penalty and a damaged reputation. U.S. healthcare organizations racked up nearly $15 million in fines for HIPAA violations in the first seven months of 2016, with more than a third of it coming from a single settlement.
Looking at these facts, it is no wonder that healthcare lawyers are so worried about data breaches.
Is Your Organization in Compliance?
Adding another layer of complication is how difficult it is to know whether your organization is in compliance with the law. HIPAA is unnecessarily vague and subject to interpretation, so you often need to hire external counsel to review even the things that you can control, like your network, electronic health record, or apps. And, as mentioned above, you can’t control what everyone in the hospital is doing with their smartphones, so they may be accidentally divulging personal health information (PHI) that puts you at risk anyway.
And I haven’t even addressed all of the poorly secured Internet of Medical Things equipment flooding into hospitals and medical offices. As my colleague Nader Henein recently said, when it comes to developing medical devices, “the focus is still almost entirely on the function of the device rather than its capacity to be secured.” We’ve already seen vulnerabilities in hospital infusion pumps and cardiac implantables; it’s only a matter of time before an unsecured medical device exposes PHI and spurs lawsuits and fines – or worse!
‘Compliance by Fines’: Unfair and Ineffective
Today, most data security oversight is akin to “compliance by fines” – healthcare systems don’t know that they are out of compliance until they get a penalty for a breach. When it’s cheaper to pay a fine than it is to fix whatever is non-compliant, data (in)security becomes a business expense and a risk some healthcare systems are willing to take. Whatever the reason, ignoring vulnerabilities until they’re discovered is hardly the best way to protect our very personal, very valuable health data.
Like most complex problems, it’s going to take a combined effort to strengthen healthcare data security. Here are some recommendations:
- Healthcare systems must secure their networks so they aren’t vulnerable to hackers. They must also write cybersecurity requirements into their procurement policies to force device, IT hardware, and software makers to build security into everything they sell. Finally, they need to ensure that any applications they install are user-friendly; otherwise staff will turn to less-secure shadow IT workarounds (like personal messaging, cloud storage, and other apps).
- Healthcare workers must understand how mobile device policies protect PHI and how using the healthcare organization’s approved apps (that have been security tested) supports data security.
- Device makers must strengthen device security, including regularly patching operating systems and apps against vulnerabilities.
- Government regulators must provide clear cybersecurity guidelines to make it easier to determine whether an organization, healthcare system, device, or app is in compliance with the law and, if not, how to achieve compliance.
If these responsible parties work together and each do their own part, we will all be in a better position to be able to guard the security of our PHI. After all, isn’t it time we let lawyers move on to another thing to lose sleep over?