Authors:  Winston Krone, Managing director, Kivu Consulting and Rick Kam, President and co-founder, ID Experts

2014 is the first financial year after the HIPAA Final Rule, and healthcare privacy has transformed in ways that are good, bad, and downright scary.

The good: Higher awareness
On the positive side, the total number of data breaches in healthcare has declined slightly, according to the Fourth Annual Benchmark Study on Patient Privacy and Data Security by Ponemon Institute. Clearly, healthcare organizations are aware of the requirements, and their data security budgets and systems are catching up.

On the forensics side, for instance, we’ve seen a strengthening of networks and locally stored data by hospitals and other healthcare organizations, with a greater use of applications that monitor networks. Lots of data breaches have been avoided.

The bad: Bigger, badder breaches
The news isn’t all rosy, however. Ponemon also found that 90 percent of respondents had at least one data breach over the past two years, while 38 percent have had more than five data breaches in the same period. Clearly, threats to patient data remain high.

More complex information systems and business relationships are leading to larger, more complex breaches. Ironically, the data on the internal systems of HIPAA covered entities is now much better protected, but with so much data in the cloud or shared with business associates, large amounts of information have become less well protected.

There are two big issues with cloud storage. First, organizations and users fail to realize that when they look at their email or share folder, they don’t know where that data is actually located. People assume it is well protected, but it may not be. Second is the amount of data kept in the cloud. The low cost of cloud storage means many people use email as their storage system instead of using folders on a local file system. While their computer is in a highly protected work environment, their email is in the cloud, protected by only an email address and password. When the dam breaks, there’s a huge amount of data.

Outsourcing to business associates also creates vulnerabilities. Healthcare organizations outsource work, such as claims processing, to cut costs and become more competitive. Unfortunately, those vendors are also competing with each other on costs, leading some to overstate the data security they provide.

The scary: Threats you can’t predict
The unpredictable threats come from the newest developments in the healthcare ecosystem, and from the computing infrastructure itself. In the healthcare market, health information exchanges are one of the big unknowns. The Ponemon study found that one-third of organizations surveyed have no plans to become a member of an HIE, in fact, with 72 percent not confident or only somewhat confident in the security and privacy of patient data shared on HIEs.

Security problems in the exchanges will arise because multiple levels of outsourcing, contracting, and subcontracting make them so opaque. When security incidents happen, organizations may not know for sure who is responsible for detecting or addressing the breach. And unlike platforms that have been around longer, we have not yet seen all the bugs and vulnerabilities in exchanges.

3 tips to protect health data
Despite unpredictability and greater complexity, organizations can still protect their patients’ privacy and secure their data with some common-sense strategies:

1. Don’t cut security costs. Reputable cloud storage companies have tools available for logging, monitoring, and controlling or restricting data access. But because organizations move to the cloud to save money, they’re not inclined to spend on security add-ons and plugins. People tend to see add-ons as optional, and companies are not buying the bells and whistles when they move to the cloud. Paying for security will pay off in the long run.

2. Don’t assume your security investment will protect you 100 percent. This may seem counter-intuitive to the first step, but it’s impossible to anticipate every threat. Organizations should assume that their security will fail, and go back to basic questions:
• Can we divest ourselves of data?
• Can we decrease our vulnerability?
• Can we take data off line?
• Can we limit the number of people with access?

3. Communicate, communicate, communicate. Organizations need to figure out the lines of communication before an incident happens. The more communication and transparency a covered entity has, both internally and to the regulatory agencies and the public, the better off it will be. Roles and responsibilities need to be clearly defined ahead of time, key decision-makers need to be in the meetings, and all stakeholders need to be in the loop.

And when the worst does happen, organizations need to go the extra mile in making things right for the individuals affected. If they don’t, consumers and patients may look elsewhere for other healthcare providers.

Read the full article as published in