In many respects, it has been The Summer of The Data Breach. HHS brought down the hammer on Wellpoint, fining the insurer $1.7 million after discovering the impermissible disclosure of over 600,000 patient records through an unsecured online application. A couple of weeks later OHSU reported a breach of over 3,000 patient records when hospital officials learned that providers were using Google Drive to share patient records in the cloud. Finally, just two weeks ago in the event that sent shock waves through both covered entities and business associates, OCR and Affinity reached a $1.2 million settlement after the health plan failed to delete over 300,000 patient records off a digital photocopier it had leased in 2010. A subsequent lessee, CBS, noticed a large amount of leftover sensitive data.
So, in what can only be described as a suitable event to close out the summer, this Labor Day weekend punctuated this series of noteworthy PHI events with the discovery that Advocate Health lost more than 4 million patient records after a thief stole four computers from the largest Illinois medical group. In an all too familiar fact pattern, the laptops were not encrypted and left every data record vulnerable to compromise.
While the number of compromised patient records is staggering, the biggest shocker of all was that Advocate has dealt with this exact problem in the past. In a 2009 laptop theft, Advocate landed itself on the OCR “Wall of Shame” for the breach which caused 812 patient records to walk out of the door with their thief. In a settlement with federal regulators stemming from this first incident, Advocate agreed to launch an encryption program to protect all future mobile devices from third party access even if stolen. An Advocate spokeswoman indicated that this encryption program had not yet reached the four recently stolen laptops.
Though unfortunate, the Advocate case provides us with some valuable lessons. Large healthcare organizations have the resources and IT personnel to roll out protective measures for their patients’ data, but given the organizational complexities and many moving parts even requirements out of a federal lawsuit settlement may take a hospital system years to roll out completely. What’s more, as the number of types of mobile devices increases, huge health systems will find it difficult to remain flexible enough to account for these new challenges.
The change providers must adopt must be more foundational. Instead of trying to patch over security issues constantly, providers should find solutions with security already built into the product infrastructure. Instead of allowing providers to use another device to access PHI, CIOs should first consider how to secure existing processes. Left unaddressed, your facility might find itself headlining the next season of data breaches.
With over two decades of technology entrepreneurship background, Krishna Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges in US Healthcare. During the late 90s, Krishna co-founded IPCell to build the first Cable IP Telephony switch, eventually selling the company to Cisco Systems. In 2003, he started Sipera (acquired by Avaya Systems) to solve security issues for Unified Communications' and raised over $30MM in venture funding. Additionally, he has been actively involved in the early-stage financing of startups in both the US and India.
Engaging Patients and Connecting Care Teams Through Interactive Digital ConversationsLearn More
Prior to the pandemic, telehealth visits ─ delivering patient-provider visits virtually ─ was an afterthought in the care continuum — ill-regarded and little-used beyond patients in rural areas who had few care choices. Virtual visits comprised less than 1% of all outpatient visits. Private insurers generally follow guidelines from the Centers for Medicare & Medicaid Services (CMS), which allowed telehealth in only limited circumstances and paid at 30% below in-office reimbursement rates.