The rise of accountable care means health systems have more opportunities to share patient information, increasing the opportunities for hackers to penetrate their systems. The question isn't whether a health system will have a breach but when and how it will respond, experts said.
The era of accountable healthcare brings with it a host of new data-sharing requirements—among health system partners, contractors, and patients—and each exchange offers an opportunity for a breach that could cost the health entity thousands in fines and a loss of credibility.
It’s not a question of whether health systems will suffer a breach but when, as well as how they prepare and what plans they have in place to respond, according to a speaker and panelists who took part in an afternoon session at the spring meeting of the ACO and Emerging Healthcare Delivery Coalition®, an initiative of The American Journal of Managed Care® meeting May 4-5, 2017, in Scottsdale, Arizona.
Lee Barrett, executive director for the Electronic Healthcare Network Accreditation Commission (ENHAC), first offered attendees a roadmap of how the new landscape under the Medicare Access and CHIP Reauthorization Act (MACRA) creates new challenges for protecting institutional and patient data, beyond those that were already present under the Health Insurance Portability and Accountability Act (HIPAA).
Later, meeting chair Anthony Slonim, MD, DrPH, CEO of Renown Health, led a discussion among Barrett and Dan Konzen, campus chair, College Information Systems and Technology at the University of Phoenix; and Dan Hurley, vice president for Information Technology at Solera Health, which earlier this year achieved HITRUST CSF certification. The discussion revealed the stunning realities of modern healthcare cybersecurity, including the fact that some hospitals have paid ransom to hackers that threatened to take out their systems (none were named).
Barrett noted that data breaches recorded by HHS’ Office of Civil Rights soared in 2016, with 93 major attacks, representing a 63% increase over the previous year. While huge events like the theft of 78 million records from Anthem get the biggest headlines, Barrett said it’s the small practices that might not be able to recover from an attack, in part due to the reputation loss that could send patients elsewhere. And these small enterprises often think the hackers won’t bother with them, which Barrett said is not true.
More and more, accountable care organizations (ACOs) are must share information with networks providers, with non-healthcare partners, with quality reporting entities, and the government; at the same time, patients are logging into healthcare portals and using wearable devices, while connecting to the health system’s internet with their personal devices. Workers are using email, and contractors access the system. “All of these different streams and connection points add to the potential risk of any of this data being hacked, or having a breach,” Barrett said.
Hackers aren’t going away in healthcare for a simple reason: a stolen healthcare is too valuable, he said. While a stolen credit card will be discovered quickly, a stolen health record may not be uncovered for months, giving the thief time to commit thousands of dollars in fraud, usually by getting drugs or medical devices, which are then resold.
Skimping on cybersecurity makes no sense, Barrett said, because the cost of recovering lost business and reputation after an attack can be $200 per patient record, compared with $8 per record for standard preventive steps, according to PwC.
What are the new standards? Barrett outlined a long list of steps for a security assessment, which he said should be repeated at least once a year. Each health entity must have clear policies that it follows, but that’s not enough. All staff must be trained regularly, and “documentation is a must,” he said. The OCR has requirements for reporting breaches and they must be followed—Barrett said the agency is more active than ever, and it must be taken seriously.
During the panel discussion, Konzen went further, “It’s not a matter of whether your system has been hacked. Every one of your systems has already been hacked, but you just don’t know about it.”
The panelists agreed that most problems start within the organization. Hurley said organizations can run tests—like Solera did—to see if employees click on bogus emails, so they can train staff not to repeat these mistakes.
Increasingly, third parties are a cause for concern—and getting coverage for cybersecurity will likely require healthcare organizations to not only become accredited themselves, but to only do business with vendors who are also accredited. “You’re still responsible for what the third party does,” Konzen said.
At the same time, outside parties can help. Hurley said a third party ran a test of a software platform to uncover vulnerabilities, which had to be corrected.
Going forward, Hurley said that health systems will need to pay close attention to following good procedures and educational plans, and documenting everything. If something happens, an investigator may ask, “Show me proof that you followed this process.”
“Don’t treat it as ‘check the box,’” Konzen added.
As more consumers interact directly with portals, and health systems upload data from mobile technology, the panelists said there will be movement toward a national system of patient ID authentication. Solera, which operates entirely in the cloud, already has multiple layers of authentication for the patients that interact with its system, Hurley said.
Dennis P. Scanlon, PhD, of Pennsylvania State University, asked the panelists if there was any way to streamline the data sharing process for health research, as he encounters vastly different responses from health systems when he requests records. Unfortunately, they said, the answer is likely “no.”
Each circumstance is different, Konzen said. “Everything to be looked at individually. You can’t standardize that.”