The Health Insurance Portability and Accountability Act (HIPAA) was enacted to create standards for the security and privacy of individual medical data. Actual compliance with HIPAA regulations by the health care industry and HIPAA enforcement by government agencies has been a different story.
The U.S. Congress enacted HIPAA on Aug. 21, 1996. The HIPAA Privacy Rule went into effect in April 2001, and gave covered entities (CEs), otherwise known as health care providers, clearinghouses or health plans, two years to meet compliance. The HIPAA Security Rule went into effect in April 2003 and CEs had until April 2005 to get into compliance.
As of Aug. 24, 2007, the Centers for Medicare & Medicaid Services (CMS), responsible for the HIPAA Security Rule enforcement, and the Office for Civil Rights (OCR), responsible for HIPAA Privacy Rule compliance, had not established any policies or procedures for conducting HIPAA compliance reviews at covered entities. This, even though a significant number of HIPAA complaints had been received.
Through the end of December 2008, the OCR had received 41,807 HIPAA complaints, with 6,019 (14%) of those still open. As of Jan. 31, CMS had received 1,044 complaints and still had 149 (14%) of the total still open.
The U.S. Department of Health and Human Services (HHS) didn't perform a compliance audit until March 2007, when Atlanta's Piedmont Hospital was the first to feel the scrutiny of the HHS Office of Inspector General's (OIG) auditors looking at HIPAA Security Rule compliance. The impact of that specific audit was underwhelming; a summary of the findings have not yet been published. However, the audit caught the attention of many CEs who had long ago assumed that since no HIPAA enforcement actions had occurred since 2003, that there would never be any such actions. The tide appeared to be ebbing.
In October 2007, the CMS contracted Pricewaterhouse Coopers to conduct up to 20 HIPAA Security Rule compliance audits. This was in addition to the audits being performed by the HHS OIG, according to Tony Trenkle, director of the CMS Office of E-Health Standards and Services. The compliance enforcement tide was now turning.
Desperate times increase the crimes
It is not uncommon for health care entities to be favorite targets for crime. If you look through the annals of the growing number of sites that chronicle privacy breaches, such as the Privacy Rights Clearinghouse (PRC) Chronology of Data Breaches and the Open Security Foundation's DataLossDB, you will see an overwhelming number of incidents from health care providers and health care insurers.
In December 2008 alone there were seven health care breaches listed in the PRC listing that involved 13,000 health records. Keep in mind that there are significant numbers of other breaches that are not listed in any of these compendiums, let alone even reported in the news.
When the economy was good, there were plenty of instances of criminals and insiders taking PHI, and other types of personally identifiable information (PII) to do bad things. The bad economy now provides even greater motivation.
Poor information security practices within CEs provide great opportunity for crime to occur. A significant portion of personnel, business partners and others with authorized access to medical information will succumb to temptation to do bad things for financial gain if they think they won't get caught, if they think their job is threatened or if they believe their employer is mistreating them. Criminals with no authorized access will exploit security weaknesses to obtain patient information and use it for their financial gain.
Health care organizations posses a huge amount of very valuable PII, such as credit card numbers, insurance policy numbers, Social Security numbers and banking information, along with names, addresses, phone numbers and other information that can easily be used for identity theft. Increasingly, some of the most valuable information belongs to patients with preferred medical network insurance plans. Criminals can take this information and sell it to other criminals, who can then use it in their illegal immigration activities. PHI is also progressively being used more for medical identity theft for individuals desperate to obtain health care insurance coverage, but who otherwise do not qualify for it.
Insider threat is increasing
There have been numerous reports about the growing instances of insiders (individuals with authorized access to information) stealing information. Numerous news reports have indicated that as organizations cut costs insider threats of data leakage are rising, and cybercriminals are using the resulting lax security to commit even more cybercrime:
- 56% of workers surveyed admitted to being worried about losing their jobs.
- More than half have already downloaded competitive corporate data and plan to use the information as a negotiating tool to secure their next job.
- 58% of U.S. workers have already downloaded business data, including customer PII, to take with them if they lose their jobs.
Just a few examples of insider crime cases within healthcare organizations include:
- On Jan. 16, Remberto Sarmiento was sentenced to eight years in prison for submitting more than $7 million in fraudulent claims to the Medicare program for reimbursement by using stolen patient information. Sarmiento purchased two medical companies, maintained corresponding corporate bank accounts, signed checks drawn on those bank accounts and then distributed fraud proceeds using a shell construction company, according to the FBI.
- In January 2008, Tenet Healthcare Corp., which owns more than 50 hospitals in a dozen states, disclosed a data breach involving a former billing center employee in Texas who pleaded guilty to stealing patient information on as many as 37,000 individuals. He got nine months in jail.
- In January 2008, an office cleaner at the HealthSouth RidgeLake Hospital in Sarasota, Fla., pleaded guilty to taking information from the patient files of an anesthesiologist and then committing fraud by ordering credit cards on the Internet with stolen patient information. He got two years jail time.
Personnel may also purposely sabotage computer systems if they feel their employment is threatened. For example, on Aug. 27, 2007, a federal jury found Jon P. Oson, a former computer network engineer and technical services manager for the Council of Community Clinics, guilty of two counts of violating the Computer Fraud and Abuse Act. After he got a bad performance review, in retaliation Oson disabled the system backups of patient information and also deleted patient data on many of the servers. Not only did Oson damage the clinics' business systems, but his actions could very well have also negatively affected the medical care of the people whose PHI he deleted.
Steps to fight insider threats
Here are just a few of the important steps health care organizations should take to fight the insider threat, in addition to supporting HIPAA compliance:
- Make sure one person does not have all authority, control over or access to critical and sensitive data. This is a situation that can be hard to address within small and medium-sized businesses, but it is something important to do if possible.
The audit caught the attention of many CEs who had long ago assumed that since no HIPAA enforcement actions had occurred since 2003, that there would never be any such actions.
- Log the access of personnel with authorized access to sensitive data and systems. When management knew there was going to be a negative performance review given to Oson, others outside Oson's line of management should have started logging his access to the systems for which he was responsible, if it wasn't being logged already. No one individual should control the entire network and data resources. If this is the situation, there should be another position, outside the individual's area, logging and monitoring the individual's activities.
Have thorough exit plans in place and follow them consistently when employees in critical positions are terminated or resign. As soon as Oson resigned, all his access -- especially including from remote locations -- should have been immediately terminated. There should also be heightened monitoring following the unharmonious resignation of an employee from a position of excessive systems and data access control and responsibility.
Next: HIPAA crime and compliance enforcement trends
Rebecca Herold, CISM, CISSP, CISA, CIPP, FLMI, is an information privacy, security and compliance consultant, author, instructor and management tools creator with her own company, Rebecca Herold & Associates LLC. Herold has provided information security, privacy and compliance services to organizations in a wide range of industries throughout the world for more than 17 years. She was named one of the Top 59 Influencers in IT Security for 2007 by IT Security magazine. Herold is an adjunct professor for the Norwich University Master of Science in Information Assurance (MSIA) program.