Should radiology practices attempt to protect patient data on their own?
We call it “protected” health information. But the reality is that breaches of our personal health data are on the rise, some of them breathtaking in the scope of human error involved. Like the radiology practice that sent stacks of un-shredded patient files to a recycling company. And the health insurance payer that returned a number of rented photocopy machines with patient health information still on the hard drives.
But what about the radiology office that had its servers hacked by gamers looking for more bandwidth to play a popular video game? Or the radiologist who hacked into his ex-employer’s patient database to steal patient files? These are intentional data breaches by outside parties, which lets the hacked entities somewhat off the hook…right?
Not according to the Office of Civil Rights, one of the primary government agencies tasked with investigating organizations for not sufficiently protecting private health information. In the above examples — all of them real — each of the healthcare organizations was either found liable for privacy infringements or faced the possibility. Further, to a certain degree, there likely was real culpability on the organizations’ part. The hacking radiologist, for instance, simply used other employees’ passwords, which he never would have had access to in a “Zero Trust” environment. And while the exact methods used by the video gamers haven’t been publicized, such attacks often gain entry into a network via a hardware device or software application with a default vendor password that’s supposed to be reset after the purchase, but frequently isn’t. Even though these passwords are published online and well-known in hacking communities.
Radiologists in the dark on risks
The “nemesis” here isn’t just the hacker. It’s the unrealistic expectation that medical professionals should be running impenetrable IT departments. Yes, they have a legal and ethical responsibility to protect patient data. But the switch from tape to digital imaging studies has made it increasingly clear the actual mechanics of protecting this information should be handed off outside the clinical practice, just like numerous other activities required for a functioning practice that can’t be accomplished internally. It would be ludicrous, for example, to expect the average radiology practice to operate and accredit its own medical schools to produce the practice’s future doctors. To a similar degree, it’s inexplicable how healthcare has arrived at the point where every practice is expected to have a well-staffed IT department able to comply with increasingly complex privacy requirements, from the unceasing updates to HIPAA, to the Omnibus Rule — which at last count, was almost 600 pages.
In short, few internal IT departments are adequately staffed to know all the potential risks to their IT infrastructure, much less to close off all these potential vectors. And this is not an area that is likely to grow clearer or easier with time. There are too many agencies involved, each with its own set of (continuously updated) data security rules. In addition to the Office of Civil Rights, there’s the Office of National Coordinator for Health IT, the Centers for Medicare & Medicaid Services, the Drug Enforcement Agency, Homeland Security and even the Federal Trade Commission involved in healthcare data protection.
The healthcare cloud services provider: credible third party
Healthcare organizations like radiology practices need help now in the IT arena. Too much is at stake if a data breach of private health data occurs. First and foremost, it’s a tremendously stressful event for patients, many in the midst of a serious illness. It can also ruin a radiology practice, in both reputation and finances, with fines potentially reaching past $1 million.
A healthcare-exclusive cloud services provider can step in and immediately begin to strengthen security by performing a risk assessment – which comprehensively and clearly identifies where the gaps in security reside. After that, the same provider can offer a full suite of managed security services, including firewalls, encryption, security updates across the healthcare organization and secure data archiving for easy retrieval and storage of digital imaging studies.
Further, the provider will assure constant monitoring of the practice’s entire network infrastructure for any breach attempt. Judging by the frequently long stretches of time between a breach and its discovery, many organizations are unable to keep up with this sort of vigilant surveillance – which includes maintaining a constant watch over which employees enter the network and when.
In the highly regulated, highly defended environment of a top-tier cloud services provider, by contrast, all access can be restricted and documented right down to the user, application, and file, with unauthorized access attempts immediately detected.
At this point, it should be noted that under the HITECH Act’s requirements for third party, “business associates” involved in managing patient data, cloud services providers actually have a legal obligation to keep patient information private and secure. As noted in a Radiology Today article, such business associate agreements should pay rigorous attention to “HIPAA compliance, Safeguards, Training, Notification and Subcontractor extensions” (Chavis, 2012) areas of protecting personal health information.
But where the strongest provider will clearly emerge is in the “over and above” aspect of its Business Associates contracts. Such a provider will assume a majority of the shared risk should a data breach occur. Needless to say, few providers have the confidence to take this on, but it’s obviously important to find one who does.
Continuous vigilance: The security basic for stopping even “sophisticated” attacks
Hackers are always looking for a vulnerability in the healthcare organization’s network. A cloud services partner with an exclusive focus on protecting valuable healthcare data — and strong standards for business associate accountability — will deny them any opportunity to find one. In turn, the radiology practice can direct its own focus back to diagnosing and treating illnesses.