The Real Causes of HIPAA Security Breaches: Bad IT System Design, Bad User Behavior, Bad Policies, Bad Operations

It seems like nearly every day there is a new headline about a hospital or other medical facility suffering another HIPAA breach. Most of the articles discuss the "cause" of the breach, such as the theft of a laptop containing electronic protected health information or the loss of a portable device like a USB key. It is usually stated that the devices were not encrypted, implying that by encrypting these devices, the facility would have avoided becoming the latest HIPAA headline. And many of the remediation efforts involve more revisions of — and training on — employee policies.  


But encryption is not the answer; at best it is the last line of defense. And there is a lot more going on here that encryption will not solve — and indeed should not be relied upon to solve. In addition, having more employee training and revising HIPAA policy manuals is not only a complete waste of valuable time, it frequently destroys a lot of trees.

With the proliferation of the Bring Your Own Device trend, along with more widespread use of mobile and wireless devices, the HIPAA threats seems almost insurmountable.

Here are some recent reported breach episodes that resulted from stolen laptops.

Lucile Packard Children's Hospital (Palo Alto, Calif.). Theft of laptop from physician's car. 13,000 records. Reportedly the fifth HIPAA breach for Stanford, with four of the five breaches involving the theft of laptops or workstations containing ePHI.

Oregon Health and Science University (Portland). Theft of laptop from physician's Hawaiian vacation condo. 4,000 records. Reportedly the fourth HIPAA breach for OHSU. Apparently ePHI was contained in email attachments, and reportedly the laptop was password-protected but not encrypted since it was being used for "research purposes" and not direct clinical use.

Hospice of Northern Idaho (Coeur d'Alene). Theft of an employee laptop. Only 441 records. This is a very small breach but resulted in a large fine of $50,000. HHS said they were deliberately wanting to send a clear message with the steep fine and the wide publicity.

Ironically, if you read the entire roughly 500 pages of the HIPAA Security Rule, you won't see the word "laptop" even mentioned in the actual specifications. Yet laptops are listed as the largest underlying cause of the 619 HIPAA breaches reported by HHS since 2009 that involved at least 500 patient records. The fact that laptops are not actually mentioned by name obviously does not mean immunity for a facility. They are considered portable hardware and storage media, and therefore subject to HIPAA.  

USB drives and CDs are obviously portable devices, and they are mentioned in 17 of the HIPAA major breaches. And workstations — even though not technically considered "portable" — are implicated in over a dozen of the major HIPAA breaches. In fact in one of the largest HIPAA breaches to date, Sutter Health in Sacramento, Calif., is facing over $4 billion in class action lawsuits after a workstation was stolen that contained nearly a million patient records.

Even with laptops being curiously omitted from HIPAA regulations, allowing ePHI on laptops, workstations and other portable devices violates several other HIPAA Security rules, the main ones being: §164.310(1)(1), controlling physical access to ePHI; §164.310(c), physical safeguards for all workstations; and §164.310(d)(1), maintain records of movement of hardware and storage media, including policies for re-use and final disposition of all media and devices containing ePHI.

The normal compliance drill following a reported breach seems to be to generate more policy memos to encourage employees not to put ePHI on laptops and other portable devices (or threaten them if they do) and — knowing they won't follow the rules — put encryption on those devices in case they are lost or stolen. Instead, hospital compliance executives need to be asking the more fundamental question: Why is ePHI on these devices in the first place?

The answer is two-fold, and surprisingly simple:

 

  1. The IT systems are set up to make it possible to put ePHI on local/portable devices;
  2. The IT systems work so poorly for users — especially clinicians — that they resort to putting ePHI on local devices just so they can get their jobs done. (And clinicians are funny. They view their primary role as taking care of patients, not coming up with 12-character passwords and doing other extraordinary things to comply with HIPAA Security.)


In other words, clinicians and other healthcare workers put ePHI on laptops and other portable devices because #1 (above) makes it possible, and #2 makes it necessary.  
The solution is also surprisingly simple:

  1. Design IT systems that don't allow ePHI to be stored locally;
  2. Design IT systems that work so well that users don't feel the need to circumvent the policies.

The main culprit in allowing for local data storage is inherent in client/server architecture thinking, along with the concept of a PC (as in "personal computer.") The presence and availability of the local hard drive is a HIPAA disaster just waiting to happen.

There is also a workflow carry-over from the days of paper-based medical records, namely a single clinical employee working on a single patient record. Clinicians have historically been used to working on a patient file that is right in front of them, so it seems natural for them to store their current work locally. This not only increases HIPAA risks, but adds cost inefficiencies to the system.  

To keep data off of local devices, client/server architecture needs to be replaced by thin-client or even zero-client architecture, where there is essentially no local processing function or storage. In turn, that technology should be delivered and backed by core medical-grade data center services. Unfortunately there is still a great deal of legacy IT architecture in hospitals based on client/server design and local PCs, which was the corporate standard for IT systems starting in the mid 1980s. And many hospitals are faced with aging infrastructure at the very time that capital budgets are being squeezed.  

With recent advances in server and storage virtualization, along with the availability of high-bandwidth data services, the time is definitely ripe for robust cloud services in healthcare. Properly designed medical-grade hosting further battle-hardens the core infrastructure — and better meets other HIPAA requirements — and allows overburdened hospital IT staff to focus on more strategic initiatives. But most cloud providers are wholly ignorant of HIPAA Security, and many of the major national cloud players will generally refuse to sign Business Associate Agreements. So you must engage a cloud hosting partner who is intimately involved with and understands healthcare IT.

On the user side, the unfortunate result of increased HIPAA compliance is generally decreased workflow and performance. The typical solution has been to require more passwords, with increased length and complexity, shorter timeout intervals and more frequent password change cycles. So users have another legitimate reason to complain about negative user experience, and further motivation to try to circumvent security measures.  
In actual onsite assessments, we have seen clinical users spend 30 to 60 minutes or more per shift dealing with login/username/password issues. In a typical acute-care setting, every patient is documented 2-4 times per hour, 24 hours per day, by multiple clinicians using multiple physical IT devices and multiple software applications. In addition, new compliance requirements such as ICD-10 are putting an even greater stress on clinical documentation.

So some of the busiest and highest-value employees in the patient care cycle end up wasting an unacceptable amount of time with low-value and high-frustration IT activities. This clearly impacts patient care, not to mention employee morale.

In addition, the biggest single source of hospital IT help desk calls are typically password reset issues. So valuable IT resources within the hospital are also wasted.

New technologies are available that actually increase user security while saving users time. They include even higher-level security measures, including two-factor authentication, where you utilize something you have like your hospital badge, and something you know like a PIN, along with single sign-on technology that allow usernames and passwords for multiple applications to be managed centrally and more securely.  

Users are significantly happier, ePHI stays in the data center where it belongs, and hospital IT staff is freed up to do address more strategic and higher-value projects.

With IT systems properly designed with embedded security that actually gets IT "out of the way," then clinical processes can be truly optimized to achieve the principles espoused in the Institute for Healthcare Improvement's triple aim:

  • Improving the patient experience of care (including quality and satisfaction);
  • Improving the health of populations; and
  • Reducing the per capita cost of healthcare.

In summary, although it may appear otherwise on the surface, the major cause of HIPAA breaches are not laptops. And the solutions lie not in adding device encryption or layering on more security burdens on employees, but redesigning IT systems that are inherently not only more secure but more user-friendly.

Marion Jenkins leads the healthcare practice for 3t Systems, a leading healthcare IT services firm which provides consulting, managed services and secure cloud hosting. He serves on the healthcare IT graduate faculty at the University of Denver, is a Fellow with the Health Information Management Systems Society and holds MS and PhD degrees from Stanford University. He can be reached at marion.jenkins@3tsystems.com.

More Articles on Healthcare Data Security:

Locate, Secure Places Where Protected Health Information is Stored to Improve HIPAA Compliance
Misuse of Shortcuts in EHRs Can Be Problematic

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars