Healthcare Data Breaches: The GapsInsights from Michael Bruemmer of Experian Data Breach Resolution
In 2012, Experian Data Breach Resolution dealt with 1700 data breaches - 800 of them in the healthcare sector. What are the common gaps for organizations looking to comply with new HIPAA Omnibus standards?
Within Experian's caseload, there are three common types of targets: Major state databases; smaller healthcare organizations that lack sophisticated prevention measures; university medical centers and their distributed networks.
The common thread to each of these types of incidents? "In the vast majority of these cases, the root cause of the breaches is still employee negligence," says Michael Bruemmer, VP of Experian Data Breach Resolution.
Often these breaches are not a result of a healthcare organization's own employees, but those of their business associates. With the HIPAA Omnibus compliance date looming, covered entities need to pay far more attention to their BA's security practices.
"Covered entities know much less about business associates and their security practices than they do [about] their own," Bruemmer says. And that trend has to change before additional costly - and preventable - breaches occur.
In an interview about healthcare data breach response, Bruemmer discusses:
- Unique aspects of healthcare data breaches;
- What organizations most often overlook with business associates;
- The hidden costs of a data breach.
Bruemmer is Vice President with the Experian Data Breach Resolution group. A veteran with more than 25 years in the industry, he brings a wealth of knowledge related to sales and operations. Most recently, Bruemmer served as the Business Development Director of Consumer Products at ID Analytics, where he was responsible for the development and execution of all selling strategies.
Healthcare Breaches: Unique Factors
TOM FIELD: What can you tell us about some of the breach factors that are unique to healthcare that organizations really need to take into consideration when they're making their strategies?
MICHAEL BRUEMMER: I would have a top-four list, and not necessarily in this order. First, under the federal law, the HIPAA and HITECH guidelines require organizations to notify within 60 days of discovery of a breach. While most states don't highlight any different notification deadlines for healthcare, there are some examples like California, which requires notification to the state and affected parties within five business days. Second, there are very much more specific and stricter guidelines for the protection and handling of protected health information, or PHI, compared to most states' requirement for general personally identifiable information, or PII. Third, much more importance is placed on the responsibility of the covered entity under HIPAA and HITECH, along with any of their business associates, or those vendors that are handling the PHI. Finally, HIPAA specifically requires that a risk assessment be performed and that covered entities and business associates have incident response plans in place.
FIELD: I know that Experian sees an enormous number of breach cases, and at the top of the list are healthcare breaches. What are the types of specific healthcare breaches that you're typically seeing these days?
BRUEMMER: Last year, we serviced about 1,700 breaches. Of that, almost 800 were in the healthcare space. There are really three categories that we're seeing: major state databases, like the Department of Health and Human Services; the smaller healthcare practices where they don't have the level of sophistication for security and privacy; and then university medical centers and distributed networks. In the vast majority of these cases, the root cause for the breaches is still employee negligence.
Business Associate Issues
FIELD: One of the areas of focus in HIPAA Omnibus is business associates. I'd like to talk with you a bit about that. What do you find that covered entities are overlooking typically in terms of agreements with business associates, as well as reporting requirements?
BRUEMMER: First, covered entities know much less about business associates and their security practices than their own. In a recent Ponemon study, only 16 percent of vendors reported a data breach to their supplier during a breach incident. I can say that covered entities are really looking for four things: One, a solid contract with the business associate; second, strict security guidelines that match the covered entity's security guidelines; third, the ability to conduct random audits of that business associate; and then relate it back to the statistics I used earlier in the response, specific requirements for notification of that breach back to the covered entity so no gaps will exist.
FIELD: What advice do you offer to covered entities regarding ensuring that their business associates are in compliance with the new reporting rules?
BRUEMMER: One of the things that we saw in the recent Ponemon study was only 38 percent of companies went back to their insured vendors and fixed a problem that caused the breach to begin with. My advice, based on the experience that we have seen - and again - I'm not saying this from a legal point of view because I'm not an attorney - select the right business associate based on security and privacy, not just price and convenience. Second, make sure there's a set of clear expectations between the business associate and the covered entity. Then, inspect what you expect. Don't take anything for granted and make sure, as I mentioned earlier, that you audit on a regular basis.
Preparing for New Harm Standard
FIELD: Another topic under HIPAA Omnibus is the new harm standard. For covered entities, what do you find that they're missing when they start thinking about this harm standard and preparing for it?
BRUEMMER: The Department of Health and Human Services says the room for interpretation for harm was taken out. A breach is presumed unless that covered entity or business associate demonstrates there's a low probability that the PHI was compromised. In short, you must report a breach unless you can prove otherwise, and that ownership of the harm standard is put back on the covered entity.
Costs of a Breach
FIELD: We talk an awful lot about types of breaches, causes of breaches. In your experience, what do you find to be some of the lesser known costs that result from a data breach?
BRUEMMER: I've got a list of five things, and I'll give you a short explanation for each one of them. One is notifying too soon. What I mean by that is ensure that if you're assessing if a breach occurred, let your internal or external forensics team ensure that it meets the definition and you're required to notify.
Second [is] poor communication. I always like to think of the notification letter in terms of: I was the consumer reading this letter, how would I feel about that communication in terms of what happened, why it happened and how you would help?/p>
Third [is] people that don't offer any type of solution, not necessarily a resolution product, but any sort of answer to the question, "How are you going to help me fix this situation you caused for that affected party?"
Fourth [are] poorly trained customer-service representatives. We all know that getting on the phone when you have to call in to anybody's customer service center, you want to talk to somebody who's live, you want them to be responsible, you want them to be informed, and you want them to be compassionate. It makes all the difference in the world when you choose a provider that has experience and trained customer service representatives, let alone fraud resolution specialists.
[Lastly is] a closed feedback loop for consumer issues. Inevitably, there are going to be issues that come up during the process, and you need to be aware of what's going on.
Vetting Service Providers
FIELD: To ensure HIPAA compliance and to help organizations enhance their own breach preparation, what are some of the qualities that these organizations need to look for in a service provider that will help them to prevent or respond to a breach?
BRUEMMER: My top list includes these things. Experience: How long and what types of incidents has a service provider got experience in? The history: How long have they been doing it? The financial strength of the company: Do they have the capacity to expand and provide the services without stretching their financial and operational resources? Check for certifications. Obviously, to be HIPAA and HITECH compliant, they have a quality process control certification like SSAE 16 and they have security compliance like PCI Level 1. Then, I would say most importantly is client and peer recommendations. If you have someone who you trust that's recommending another service provider and has experience with it, that's a very strong recommendation in this deal.