Nine hundred and nineteen patients of Riverside Health System, a five-hospital organization in Virginia, received word of an unwelcome New Year’s gift: a four-year-long security breach. An LPN formerly employed for 13 years by Riverside accessed the Social Security numbers and health records of the patients, which was considerable fodder for identity theft.
Affected patients were offered credit monitoring services, but the facility still faces potentially big fines if the Department of Health and Human Services finds willful neglect: $10,000 per violation when properly addressed and $50,000 if uncorrected. How to categorize breaches that happened years ago is anybody’s guess, but chances are that Riverside’s claim of a “robust compliance program could be challenged. As of the end of December, the organization was still missing contact information for 76 patients, and so couldn’t even notify everyone. Two other local health providers has breaches in 2013. Virginia wasn’t the only area with problems: 2013 was a big year for HIPAA breaches and a report from credit monitoring agency Experian predicts that 2014 will be even worse.
The sheer size of the industry makes it vulnerable when you consider that as Americans, we will spend more than $9,210 per capita on health care in 2013. Add to that the Healthcare Insurance Exchanges (HIEs), which are slated to add seven million people into the healthcare system, and it becomes clear that the industry, from local physicians to large hospital networks, provide an expanded attack surface for breaches.
Yet many care providers are making a mistake similar to one in other industries. The movers and shakers assume that IT is the department most logically responsible for security because it’s about the technology. Websites, like healthcare.gov, have become instrumental in millions getting health coverage. Hospitals, clinics, test facilities, and doctors all store information on computers, and they are under the purview of IT, right?
Technically, yes, but security problems go far beyond technology, and expecting the IT department to make all the problems go away is close to naïve. There are three considerations that someone with an health care centric MBA should consider.
IT doesn’t have enough authority
Information technology is the vehicle that increasingly helps propel health care as it does so many other types of organizations. But there’s a difference between the car and the driver. IT personnel have authority in how to run the systems and should be responsible for including security software. But an IT department does not create company-wide policies that extend beyond specific technical concerns. It is upper management that makes such significant decisions as who should have access to what, budget available for resources, and the range of duties a single group like IT must undertake. Responsibility without commensurate authority is a recipe for disaster.
Software can’t do enough
Installing software does not guarantee safety. In the case of Riverside, a nurse, presumably with proper authorization for patient records, copied the details she wanted. Software kept audit trails — that’s how the person was initially exposed, as a routine audit suggested problems. But even audit trails do no good if a compliance audit is conducted rarely enough that someone can continue misusing data before anyone notices. Protecting information requires processes and procedures throughout the organization.
Management is responsible for the consequences
If and when HHS decided that a breach happened, any consequences, like fines that have become harsher over the last few years, are levied against the organization, not the IT department. That makes they fall on the shoulders of management, which then has to explain to investors, owners, and the press. From budgeting to processes and decisions about what is most important to the organization (for example, ease of use versus degree of user verification required), management has the biggest say in the security used in health care organizations. But responsibility travels with that authority, and people running providers must realize it.