- Bloomberg - Digital Health Data at Risk From Manager Support, Study Finds
- Modern Healthcare -
Health IT lawyer decries 'epidemic' of privacy breaches
- Information Week - 5 Steps To Assess Health Data Breach Risks
- HIMSS Security Survey: Insights Security Issues for Hospitals and Medical Practices
HHS/ONC/CMS have made small, but important, adjustments to Meaningful Use stage 2 statements that focus attention on the largest category of breaches, those caused by the loss of mobile devices that contain databases of PHI. For EHR certification criteria, the focus is first on smart EHR design that doesn’t leave PHI on end-user-devices, second if PHI is left behind it needs to be controlled using encryption. In the CMS rule this breach category is simply indicated as a reminder that covered entities are already obligated by HIPAA Security to do risk assessments and planning, so remember to assess and mitigate the risks of mobile devices that contain PHI getting stolen or lost. I knew this was going to be the case, since I worked with the writers of the NPRM as a member of the HIT Standards privacy and security workgroup and SME. See my blog article written last month - Encryption is like Penicillin.
Baby steps are more effective than giant steps
I truly think that healthcare industry can continue to be relatively secure and privacy protecting. Yes losing control of 10 million patients records is actually low-profile. That is, there are plenty of other industries that are far more the focus of malicious acts. Most of healthcare breaches are due to carelessness and sloppiness. It is not clear they were for any malicious gain, or even resulted in any malicious gain. The rewards for attacking healthcare are simply not as fungible. This might change, I can't predict what dastardly things might be thought up. I do however think that the harm done so far has been minor in comparison. I don't like it, I want it better, but reality is that as long as there are higher priorities, those priorities will get the funding and resources.
This is not just about prevention, but detection and action. We must detect security and privacy failures, and punish the one that caused the failure. We do this when the exposure is to a VIP, we need to do it just as strongly when it is Joe Everyone.