Data Integrity Matters™ Newsletter
November 2016
Executive Letter
As we begin to wrap up 2016 and prepare for a new calendar year, it is clear that cybersecurity has become an issue of great concern in both the public and private sector. News of high-stakes data breaches, ransomware, and device hacking at hospitals and health systems across the nation has the healthcare community on edge. A breach of any kind can potentially cause irreparable damage to a patient's identity and an organization's reputation. The health data stored in hospitals and health organizations has a longer shelf-life than that of credit card thefts because it contains pertinent health insurance and prescription information, making it susceptible to fraud and abuse.
At Just Associates, we are committed to the security of such data and the safeguarding of patient information that is so vital to the work of healthcare organizations each day. Motivated by such stories, our experts examined common problems, the underlying causes, potential solutions and best practices –as highlighted in our own Susan Lucci's article on cybersecurity as it relates to healthcare—which won an American Society of Healthcare Publication Editors (ASHPE) Silver Award. We are excited to share our analysis and expertise on this issue, as well as emerging concerns associated with HIPAA compliance as technology proliferates across the health sphere.
Also appearing in this issue is our contribution to a highly-regarded research article addressing data discrepancies in key identifying fields of a Master Patient Index (MPI), written in partnership with the College of St. Scholastica and published in Perspectives in Health Information Management. The study, which examined the underlying causes of duplicate records using a multisite data set, helps determine solutions that close the gaps in technology, policies, and processes to improve patient matching which is what Just Associates works towards each and every day.
We look forward to hearing from you on this issue of Data Integrity Matters™.
Sincerely,
Beth Just, MBA, RHIA, FHIMA
President, CEO and Consultant
Just Associates
Issue Highlights
Understanding Cybersecurity: A Primer for HIM Professionals
As protectors of patient health records, health information management (HIM) professionals are developing a deeper understanding of the broad topic of cybersecurity and are becoming actively involved in organizational cybersecurity efforts. Information technology (IT) departments typically are charged with the responsibility of information and information system security. Today, HIM professionals are more actively engaged in working with IT and security operations because of their understanding of workflows and user behavioral patterns involving protected health information, including user availability and access.
The purpose of this Practice Brief is to provide insight into the surge in cybercriminal activity and to serve as a reference for how to increase awareness as well as strategies that may be employed to assist in reducing the risk of cyber-attacks in healthcare.
According to Techopedia.com, "Cybersecurity refers to preventative methods used to protect information from being stolen, compromised or attacked. It requires an understanding of potential information threats, such as viruses and other malicious codes. Cybersecurity strategies include identity management, risk management and incident management."
The Department of Health and Human Services (HHS) has required the reporting of privacy and security breach activity on their website since 2009. Between 2009 and 2014, theft, loss, unauthorized access, and inappropriate disposal were the most common reasons for data breaches that affected over 500 individuals.
Cybercriminal activities have escalated in recent years, making data breaches a daily news item. In 2015 hacking, the most pervasive and effective method that cybercriminals chose to access protected health information (PHI), swiftly soared to the top of the list of the breach category affecting the largest number of patients. The number of patients affected by hacking incidents reported between January 1, 2010 and December 31, 2015 was well over 115 million. According to HHS, in 2015 alone, over 111 million patient records had been accessed as a result of these types of cybercriminal activities.
Types of Attacks
The nine basic patterns or types of attacks found in the Verizon Data Breach Investigation Report (DBIR) for both 2014 and 2015 are listed in the sidebar below. According to Verizon Data Breach Investigation Report (DBIR) for both 2014 and 2015, nine basic patterns or types of attacks account for over 90 percent of the 100,000 incidents that researchers had analyzed. These included:
- Payment card skimmers
- Crimeware
- Miscellaneous errors
- Insider and privilege misuse
- Physical theft and loss
- Web application attacks
- Denial of service
- Cyber-espionage
- Point-of-sale intrusion
Why the sudden rise in hacking, in healthcare in particular? For one thing, the black market value of an electronic health record has risen sharply over other information such as credit cards. The financial industry has implemented security safeguards and controls to detect and prevent fraud. In comparison, the healthcare industry struggles with the resources needed to monitor audit logs and does not have the technical tools to detect and prevent identity theft. Unfortunately, many (if not most) healthcare organizations may not be properly prepared to address the rise in hacking and new cyber-threats. As an industry, healthcare allocates fewer resources to IT security relative to its peers in other industries.
Threat Agents Have Evolved Over Time
Initially hacking was something that was done as an individual activity. Today, hacking is organized. There are organized groups of criminals that understand how cybercrimes have the potential to acquire money with fewer risks as compared to traditional crimes.
Besides external attacks, organizations also have to deal with insiders whose actions, whether intentional or unintentional, may lead to data breaches.
Without realizing it, employees may click on embedded links that release malware—including ransomware, which limits users from accessing their system until a ransom is paid to the responsible hacker—or allow external attackers access to internal applications, systems, and data. According to CNBC, some sophisticated malware now can attach itself even without a person clicking on a malicious link. What's worse is that because malware changes so often, sometimes thousands of times every day, even the best detection tools cannot find and eradicate the newest versions.
Business Challenges Unique to Healthcare
As the profile of "hackers" has changed over time, so too has their target. Financial information was once a prime target of hacking. But with the sophistication of antifraud tools, the black market value of credit card data has dropped while the value of the electronic health records and user credentials have gone up.
The rich demographics surrounding someone's protected health information (PHI)—such as a Social Security number, address, and date of birth—are not time-sensitive. In contrast to credit card data that has many fraud controls in place, stolen PHI has a shelf life that is much longer than credit card data and therefore has a higher black market value.
While other industries are working to lock down their data, healthcare has the added challenge of being forced to share more patient data externally. Sometimes this data sharing is required by law or regulations. For example, PHI may be shared externally to:
- Patients (patient portals, compact discs)
- Care managers (healthcare insurance companies, home health)
- Other providers (e-mail, text messages)
- Clearinghouses and insurance companies for payment of claims/patient bills
- Business associates to provide support services
- Government entities (state/federal agencies)
- Hospitals using more Internet-based business applications (cloud services) and systems
- Health information exchanges (HIEs)
Importance of a Cybersecurity Plan
The best way to defend against an attack is to develop a cybersecurity plan. The cybersecurity plan should fall under the oversight of the chief information security officer (CISO). The plan needs to address, in the following order:
- People
- Processes
- Technology
For example, organizations may take proactive steps to block phishing e-mails before they get through the e-mail gateway. But no technology defense is perfect. With estimates as high as 100 million phishing e-mails being sent every day, all it takes is one to get through the e-mail gateway to cause a great deal of harm to an organization.
Once created, a cybersecurity plan should be reviewed at least quarterly to ensure the organization is doing everything possible to prevent or detect an attack. Some suggested items to include in a cybersecurity plan include conducting a risk analysis of all applications and systems, patch and update vulnerable systems, and deployment of advanced security endpoint solutions.
Detecting and Preventing Intrusion
When IT staff is asked by executives "Have we ever been hacked?" the response often provided by the IT staff is "No." Unfortunately, they may not even be aware of the fact that their systems may have already been compromised. In 60 percent of cases, attackers are able to compromise an organization in minutes.
Likewise, IT staff and HIM professionals should learn that when it comes to cybersecurity, the phrase "Not that I am aware of" should be tacked on to the end of their response. For example, when asked, "Have we ever been hacked?" the appropriate answer should probably be "Not that I am aware of." Why? One survey found that, on average, a hacker can be inside of an organization for 229 days before being detected.
Therefore, if an organization has a good security program in place, it may actually have more reported incidents and breaches than organizations with a less than stellar security program. Better security controls such as intrusion detection and prevention systems and mature log monitoring can more readily detect attacks than organizations that lack those controls.
Intrusion detection systems (IDS) are designed to detect and identify a potential intruder by monitoring network and/or system activities to spot malicious activities by signature-based or anomaly detection methods as well as other protocol-based procedures. IDS can produce reports and identify trends that could be indicative of cyber-type issues taking place.
Intrusion detection and prevention systems (IPS or IDPS) allows prevention capabilities to be set by the administrator. This feature allows the organization to determine the tuning and customization settings that are preferred so that thresholds and alerts are at the level of tolerance for the organization. Once these settings are established, they should be reviewed and adjusted to allow for appropriate detection and, ideally, blocking.
Every organization must identify their level of need for intrusion detection and prevention. Given the rise of cybercriminal activity aimed directly at healthcare, this is a subject that should be addressed for its relevancy with a sense of urgency to ensure that the entire health system's PHI, in every system, is adequately protected to the best extent possible.
The full version of this article appears in the April 2016 issue of Journal of AHIMA and can be accessed here.
HIPAA and BYOD: Bridging the Gap
There is no denying that technology has had a measurable impact on the healthcare industry, but not all of the changes have been positive. Recent data breaches have reignited focus on HIPAA compliance, especially among those healthcare organizations that allow their employees to "Bring Your Own Device" (BYOD). Healthcare professionals who use personal devices, (cell phones, laptops, tablets, etc.) to access sensitive electronic patient health information (e-PHI) risk violating the law's strict privacy and security mandates.
A staff's ability to access patient data from anywhere at any time improves productivity, flexibility and financials, but it also increases scrutiny of controls and regulations on the devices used to store such information. A Wisegate survey of senior IT professionals noted that"32 percent of respondents named data breaches and malware as their top threats and risks to their organization." A 2016 survey from Crowd Research Partners found that "security (39 percent) and employee privacy (12 percent) are the biggest inhibitors of BYOD adoption."
So how are healthcare organizations combating this in order to implement a BYOD program that protects themselves and their patients?
Some have implemented BYOD policies, using the HIPAA Security Rule as a guide. HIPAA regulations allow healthcare organizations to create BYOD policies to direct and control the use of personal devices to store patient information. The most commonly instituted policies include:
- Device audits,
- Multi-level authentication and security logins,
- Self-locking options that trigger when a device is left inactive for a certain period of time,
- Employee training on cyber-security.
Some organizations have also implemented Mobile Device Management platforms, which can remotely delete all stored data if a device is reported missing.
In addition to those policies, it is important that transmissions of e-PHI via cloud storage or file-sharing hosts are conducted through a secure, encrypted network. Since security risks and threats can change quickly, devices should undergo routine maintenance and regular updates of all security software. Any negligence of maintenance tasks and routine updates over an extended period of time increases the risk of cyber-attacks which could breach an organization's network and cause data loss and in turn, HIPAA violations.
Healthcare organizations are also urged to prepare for upcoming HIPAA audits by instituting policies and procedures (P&P) that enable them to attest to compliance with risk analyses and risk management mandates. This will help them to steer clear of any potential penalties associated with non-compliance.
Because the Office for Civil Rights (OCR), which will be conducting the audits later this year, is still in the process of sending out address verifications, organizations that have not yet put appropriate P&P in place still have time to do so. Along with P&Ps, OCR will also be looking for:
- Notices of privacy practices,
- Workforce Training and Education programs,
- Breach notification system(s),
- Individual rights to access PHI and e-PHI,
- Privacy safeguards (paper shredders, locked cabinets, copiers with data storage, etc.).
In an industry where technology it both a benefit and potential risk, safeguarding e-PHI and ensuring regulatory compliance is of the utmost importance. Implementation of BYOD best practices and HIPAA compliance attestation is critical to the safety of e-PHI and the device owner's personal data and should be in place prior to allowing access to the facility's network.
When guided by implementing policies that protect all parties involved, BYOD can help facilitate information sharing in a permissible manner while aiding interoperability—without fear of a data breach.
News from Around the Industry
Momentum is Building for a National Unique Patient ID System
The need for a national unique patient ID has been a talking point for years, but the much needed system seems to finally be gaining some headway as the College of Healthcare Information Management Executives (CHIME) launched the National Patient ID Challenge – a $1 million crowdsourcing competition to incentivize the private sector to develop a fail-safe patient identifying solution that links patients to their medical records.
In a recent HealthcareDrive article, Mark Probst, vice president and CIO of Intermountain Healthcare and CHIME's 2016 board chairman, believes the time is "ripe for a unique patient identification system" and many others in the industry feel the same.
The challenge's winning solution (set to be announced in February 2017) could help build the framework for a national patient identification standard, which top experts in the field say is desperately needed. A National Patient ID solution, coupled with a budget for HHS to further investigate a system for more accurate identification, would create a more secure system for patients and healthcare organizations alike.
AHIMA Unveils Patient Engagement Toolkit
In March, AHIMA posted a new consumer engagement toolkit to help health HIM professionals understand how best to engage patients by using a variety of existing and emerging technologies.
The new toolkit brings resources that focus on the opportunities that patient advocates and navigators present in terms of collaborating with clinical staff and the role of informaticists in accessing records while maintaining compliance with federal regulations. AHIMA has also asked that HIM professionals take on a leadership role using the toolkit, including training staff to prepare them for consumer engagement, educating them about available technologies and widespread industry trends such as health information exchanges.
By releasing this toolkit, AHIMA hopes to not only help users understand the technologies including EHRs, mHealth, telehealth services, and social media that are increasingly coming into their work lives but also to know how to better engage patients that are open to using those resources.
Just Associates in the News
Teaming Up to Identify the Patient Matching Challenge
In April, Just Associates' findings of recent research regarding the impact of duplicate record creation on data discrepancies in key patient identity fields was published in Perspectives in Health Information Management, the online research journal from the AHIMA Foundation. "Why Patient Matching Is a Challenge: Research on Master Patient Index (MPI) Data Discrepancies in Key Identifying Fields," co-authored by informatics and data integrity experts from Just Associates and The College of St. Scholastica, found that the middle-name field had the most mismatches at more than 58 percent, followed closely by the Social Security Number field at 53.5 percent.
The study closely examined the underlying causes of duplicate records using a multisite data set of 398,939 patient records with confirmed duplicates and analyzed multiple reasons for data discrepancies between those record matches. Researchers found that the majority of mismatches in the name fields were the result of misspellings (53.1 percent in first name and 33.6 percent in last name) or from reversing names, e.g. last name being entered into the first name field.
Beth Just noted that "the study highlighted patient identification issues that continue to plague healthcare and impede progress toward improved care quality and patient safety." She also added that, "even with the emergence of best practices, clinical systems remain clogged with duplicate records, shaking providers' confidence in the quality of patient data being shared."
It was ultimately concluded that sophisticated technology alone is not enough to significantly improve patient matching. The solution is a combination of strategies.
Based on the findings, it was determined that this study and others like it are extremely important if we are to "fully understand the root causes of duplicates and design solutions that close the gaps in technology, policies, processes and training that exacerbate the issue."
Rachel Podczervinski Receives CHIMA Rising Star Award
Rachel, a Senior Manager of Identity Solutions with Just Associates, was recognized by Colorado Health Information Management Association (CHIMA) as a promising new professional who embodies the future of HIM. The Rising Star Award distinguishes individuals who have demonstrated excellence in the management of personnel, finances, or administrative aspects of HIM. Honorees have also made a strong commitment to the HIM profession through active participation in local, state, and national AHIMA activities – in particular those activities that promote HIM education.
Just Associates in the Industry
In December of 2015, Beth shared her expertise in the AHIMA article "Reformatting Healthcare through Standards: AHIMA Building a Standards Strategy to Improve Interoperability and Healthcare," which offers advice on achieving true interoperability through improved data sharing standards. Beth's thoughts included implementing best practices or "standards of practice" to help clients and other health information managers (HIM professionals) standardize their patient matching process internally, to assist workflow needs.
In January, Julie Dooling and Megan Munns along with other members of AHIMA, contributed to Journal of AHIMA's survey on "Patient Matching Problems Routine in Healthcare," which illustrated the importance of information governance encompassing patient matching. Julie and other survey authors noted that over half of HIM professionals routinely work on mitigating possible patient record duplicates at their facility and of those, 72 percent work on mitigating duplicate records weekly. Based on the findings, it was concluded that reliable and accurate calculation of the duplicate rate is foundational to developing trusted data, reducing potential patient safety risks and measuring return on investments for strategic healthcare initiatives.
In a later Journal of AHIMA article, "Treating LGBT Status as a Patient Safety Issue," Megan and Julie address the health-record-management implications and issues related to the recent Supreme Court decision to provide marriage licenses to same-sex couples. The two share their expertise on the role health information management (HIM) professionals play and the changes that will take place in data collection and patient-safety considerations unique to the LGBT population.
Finally, appearing in Journal of AHIMA's April 2016 issue, are Susan Lucci's thoughts on "Understanding Cybersecurity: A Primer for HIM Professionals," highlighting cybercriminal activity and how it is impacting the health care industry.
Additionally, Susan discusses what to watch out for and how best to protect organizations from vulnerabilities, citing data from several studies on breaches and common threats.
Sharing Our Expertise
Just Associates experts, Beth and Megan, will be participating in an industry event presenting their ground-breaking research from "Why Patient Matching Is a Challenge: Research on Master Patient Index (MPI) Data Discrepancies in Key Identifying Fields," at AHIMA Data Institute: Making Information Meaningful. Also presenting with Megan and Beth is David Marc of The College of St. Scholastica, Just Associates' partner in the study. The convention is set to take place December 8-9 in Las Vegas, NV.
Back to all Newsletters