Ever Wondered What’s Been Causing All These Healthcare Security Breaches? It Could Be HIPAA’s Fault.

There’s been more than 30 million individuals affected by health data security breaches since 2009. These breaches are swiftly becoming a costly expense to healthcare organizations worldwide.

If you want to retrace these breaches, just visit the Department of Health and Human Services’ Office for Civil Rights “wall of shame”. There you can find a list of every breach affecting more than 500 people. The current total is over 900.

So what’s the most common cause of breaches listed on the wall? Lost or stolen unencrypted devices.

According to Dan Berger, security expert at the pen testing firm Redspin, organizations need to avoid rushing through HIPAA guidelines, just ticking the boxes, because it only provides a false sense of security.

We’d say so. HIPAA exemplifies the paradox confronting our administration: On one hand the government wants free flowing information, while also controlling ALL information. These things are at opposition with one another.

This is why we reinvented the EMR for direct care practices. Our opinion is that by tracking only relevant information, we trim the fat, and make it simpler for the right parties to get the right information.

What is most important Berger says, is the need to look at both technical and operational issues regarding HIPAA data. For example, if a certain healthcare worker requires access to 10,000 health records, the organization better know about it, and make sure proper compensating controls are in place.

During an interview, with Mirianne Kolbasulk McGee, Berger faults the U.S. Government for not including mandatory encryption regulations on data at rest as part of the HIPAA security rule.

One of the most interesting points Berger makes in response to the ever increasing risk of BYOD within healthcare organizations, is the mindset that employees have in regards to their own personal devices.

“At the end of the day, the problem with BYOD comes down to the fact that a user using their own cell phone or tablet has a different psychological feeling towards that device. It is theirs, so they really feel like they can do what they want with it. It’s very hard to change that psychological dynamic. What we recommend is a holistic, multi pronged solution, the things you need to include are the policies, not that you are forcing on your employees, but ones they are accepting as policies. Most importantly, you need to train your users on mobile device security.”

Berger finishes up by stating that due to these challenges we might see some organizations heading towards more of a ‘choose your own device’ policy, giving their users options to select various devices that already have sufficient security already built in. He says we might be seeing less BYOD in the future, and a resurgence of organization managed devices.

What Berger doesn’t mention however, is the rise of new technologies that enables users to safely collaborate in the cloud, on mobile devices. With this new trend in technology, it doesn’t make much sense that organizations are going to move backwards to, “choose your own device” or company provisioned devices.

But isn’t this another great example of a free market issue? Our doctors use their own devices, and run Atlas.md EMR right on their iPads. However, our data is encrypted. And, if an iPad was stolen, we’d be able to hop on a desktop and quickly change our passwords — thereby denying a thief the ability to access data from the stolen device.

Most importantly, we respect our devices because they are OUR OWN. An inherent problem with the red tape, HIPAA-based, conglomeratized healthcare system, is that doctors are given a device (likely with a shoddy EMR), and expected to crank out up to 40 visits a day. At a certain point, isn’t it possible a doctor might lose a device, if only for lack of personal stake in both his own enterprise as a doctor, and as a user of the device?

The market needs to follow its lead. Data is moving to the cloud. Forcing doctors to go backwards is a surefire way to create the lethargic, jaded attitude that encourages sloppy behavior, and future data breaches.

Compare that with Direct Care and Atlas.md EMR. We believe a doctor who invests in his own practice’s success, with a product he or she has purchased, is more likely to take care of their devices, and ultimately avoid the most common cause of data compromise.