The Challenge of Improving HIPAA Compliance and Health Care IT Security (Part 1)
In part 1 of our 2-part series, Medicus Solutions interviews Paige Joyner, PhD – one of Georgia’s leaders in HIPAA compliance – to discuss the past, present and future challenges to IT security for healthcare entities.
When it comes to matters of health care and security, Medicus Solutions and its partners are well aware of the challenges that lie before both IT security teams and experts as well as end users and their patients. Our recent series of articles touch on the looming threat of crypto-ransomware, the overall challenge of improving patient information security in a mobile world, and the rapidly increasing expectations that health care entities face in securing PHI. While compelling on their own, we thought it was important to capture the thoughts of other leaders and veterans in the health care IT security sector. Call it the health care IT version of a “second opinion”.
In part 1 of a 2-part article series, we interviewed Paige Joyner PhD, CIPP/US of Compliance +, LLC, a healthcare compliance company that has been active in the sector for 15 years. We sat Paige down to talk health care compliance and IT security from her perspective, what concerns her going forward, and what tips she may want to share for health care entities just starting to wrap their heads around the IT security challenges they face in 2016 and beyond.
Paige Joyner PhD, CIPP/US – Compliance+
Interviewer: In a report published by the California Attorney General, they found that from 2012-2015, personnel errors and physical loss are the leading causes of data breaches. At least in California. Have you found that to be the case in your experiences as well? What do you recommend for those looking to shore up those kinds of issues?
Paige: “Yes, in the past, the human aspect always tended to be the biggest threat. We find that in health care things move so fast that you're on autopilot and sometimes don't have time to do it right. Ransomware is the new big issue where you have the human component exponentially increasing risk. In health care, the doctors and nurses have fast paced job duties and don't always have time to think about the security aspect of digital communications from moment to moment.. For example, if you’re in a hurry when you get an email that says it’s from your bank, people are often times just going to click it.
Criminals are preying on a system that is already wrought with issues.
The challenge is that these caregivers need to understand the issues, but to get there means working with a huge learning curve. Healthcare is still in the 80s as far as technology goes, but they are expected to be in 2016 as far as security goes. They have to be trained to understand the threats in order to understand how to guard against them. Policies and procedures have to be put in place. It's hard to get people to pay attention to a computer when dealing life and death.
Indeed, we want the doctors to focus on the patients, but when the government demands a focus on the security and organization of the data and proper billing codes...the doctor is in a tough position. They shouldn't have to decide whether to document properly to cover their butts or to give the proper care quickly. I feel their pain when they say that the doctor's don't have time.”
“The threat of an audit shouldn't be the driver behind protecting patient information. Caring for the patient now IS caring for the patient's information.”
Interviewer: What are the biggest issues you have run into regarding compliance in the Healthcare industry?
Paige: “Regarding HIPAA compliance: the biggest issue from my perspective is basically the non-compliancy level across the industry. We have non-scalable regulations that can't be easily or reasonably applied to most practices, small practices in particular. The HIPAA laws were put into place in 1996 with the first implementations in the early 2000s. However, the government didn't enforce things until 2013. The lack of enforcement meant the industry as a whole ignored HIPAA, pushing most matters of security to the back burner. Now with the regulation updates, the government is better equipped to enforce and they ARE enforcing.
So we’re in the 1980s and 1990s in technology and thinking in healthcare, but we're grading them on 2016 security. We're looking at going from 10 years of non-compliance and non-enforcement resulting in disinterest from providers…to suddenly the government being surprised. Simply put: where there is no punishment, there is no compliance. Now we're at a crossroads where lots of consequences are coming. The OCR is getting ready to do Round 2 of the audits and they're sending letters out and people are panicking. The last 15 years, they had no focus on this. That's the problem I see most often.”
Interviewer: What security issues keep you awake at night the as we push through 2016?
Paige: “The lack of privacy and security of medical data. It leads to identity theft, financial theft, embarrassment, class action lawsuits, and patients not sharing important info to get the kind of care they need. Unfortunately, in the US, there are no over-arching privacy regulations of any kind. There are some rules in the financial industry, but no national privacy regulations. The unfortunate broad-sharing of patient medical information is frightening for that very reason. The money is in the data, not in caring for the patients anymore. When it's lopsided, we're going to see lots and lots of issues.”
Interviewer: What message are you communicating to your clients about the new wave of HIPAA audits being coordinated by the Office for Civil Rights at HHS to help them prepare?
Paige: “Make sure your house is in order. The threat of an audit shouldn't be the driver behind protecting patient information. Caring for the patient now IS caring for the patient's information. I don't know any of our clients that would want to intentionally harm a patient in any way, so they need to understand that not protecting the data of patients can lead to harm to that patient in a variety of ways. Get your house in order, understand what you need to be doing, and do it because you want to protect the patient.”
Our team at Medicus very much agrees with Paige: Whether human error or malicious entities preying on the general weaknesses found in many health care entities, the need for proper security and encryption standards for the industry is both clear and present. The time is now and the Department of Health and Human Services is paying attention more than ever before. Health care IT teams must do their best to upgrade systems/protocols and implore staff to deliver not just high-quality health care, but high-quality patient information protection. If your health care entity needs help, the Medicus team can ensure your entity is exceeding HIPAA compliance standards and expectations through a number of encryption, backup, email, cloud services offerings, and more (http://msinc.com/services/). We can evaluate your current system and get you on a better path starting today. Call us today for a consultation and find out just how Medicus can help safeguard your data.
About Medicus Solutions:
Medicus Solutions, LLC is an Alpharetta, GA based company that specializes in providing IT management solutions to improve the efficiency, security and stability of your company’s operations. Medicus offers a range of IT services that work both independently and in unison to ensure your company operates securely, seamlessly and efficiently. Featuring secure email and backup services, virtual hosting services, HIPAA-approved file encryption systems, and much more. For more information about Medicus Solutions, please call our main office in Alpharetta at 678-495-5900 or visit our website.
Medicus Solutions writes about news, technologies, and educational topics that are defining the future of health care IT solutions and security issues at its blog.