In 1989, the 3,200-employee, 422-bed hospital, located in Vancouver, Wash., implemented a program called “Mum's the Word” to educate employees that it is their responsibility and duty to protect the confidentiality of patient information. The still-ongoing program illuminates a culture of data security, which Christopher Paidhrin (right), Southwest's IT security and compliance officer, has worked to foster.
“We instill the value that it's everyone's shared custodianship to protect patient confidentiality and privacy,” Paidhrin says.
In fact, the organization can trace back to 2000 an initiative to ensure all third-party business partners with access to Southwest's patient information meet the same data security and privacy standards that apply to the hospital itself. So when the newly enacted Health Information Technology for Economic and Clinical Health Act, or HITECH Act, took effect earlier this year, Paidhrin says the hospital did not feel a major impact due to its already mature security and compliance program.
However, the new regulation is likely having a larger effect on organizations whose data security practices are not as robust as Southwest's. Paidhrin says it should result in positive changes within the health care sector as a whole.
“It's getting the attention of health care across the country,” Paidhrin says. “We've seen quite a bit of interest and activity in compliance.”
Alive and kicking
The overall regulatory landscape underwent a number of changes in 2009. The HITECH Act, passed as part of the 2009 economic stimulus bill, is intended to strengthen the protection of identifiable health information by expanding the scope of the Health Insurance Portability and Accountability Act (HIPAA) regulations. The legislation, said to give teeth to the older HIPAA, allows state attorneys general to obtain statutory damages against noncompliant health care providers on behalf of state residents. The regulation also extends HIPAA to “business associates,” such as billing, transcription or pharmacy benefit companies. Additionally, it creates the first-ever federal data breach notification law, requiring that patients be alerted if their data is illegally accessed.
Other 2009 regulatory changes extended beyond the health care sector. For instance, several states, including Massachusetts, Nevada and New Hampshire, passed data security and privacy laws. Massachusetts' regulations, considered among the strictest in the nation, establish a baseline for protecting and storing the paper and electronic records of Massachusetts residents. The regulations apply to any business that maintains the personal information of a Bay State resident.
“Organizations are still struggling to put together programs that allow them to comply with these regulations,” says Richard Mackey, vice president of consulting at SystemExperts. “One of the challenges is to find out where the information is and how they can isolate and control it.”
Both Massachusetts' data security regulations and HITECH are having a positive impact at some firms though, he adds. Once organizations analyze their security programs in light of the new regulations, some realize that security spending is insufficient, resulting in information security budget increases, he says.
Ken Liao (left), product marketing manager at Proofpoint, an email security and data leakage prevention (DLP) solutions provider, says that a number of organizations became interested in DLP and encryption solutions as a result of HITECH. Massachusetts' new data security regulations also drove many firms to purchase encryption.
“We saw a huge influx of interest leading up to the March 1 [Massachusetts] compliance deadline,” he says. “A huge buying frenzy of encryption.”
Customer interest has since leveled off, Liao says. While some firms became compliant before deadline, others are still waiting to see what type of enforcement will accompany Massachusetts' law and the severity of fines levied to noncompliant companies. If the fines are significant, even more firms will be driven to address the regulations, he says.
“There's a little bit of confusion about what type of fines are going to be levied, it's not 100 percent clear,” he adds.
Meanwhile, the HITECH provision allowing state attorneys general to seek damages against noncompliant companies is causing some in the health care sector to take a closer look at their data security programs, says David Ting, founder and CTO of authentication and access management firm Imprivata.
“Organizations are becoming far more aware of the potential for being audited, of not being in compliance, and being fined as a result of HITECH,” Ting (right) says.
Besides the threat of being fined for noncompliance, both Massachusetts' data security regulations and HITECH are in other ways driving businesses to improve their security programs, experts say.
Provisions in HITECH around data breach disclosure have caused the average consumer to become more aware of security, says Ting. As a result, customers are putting pressure on health care organizations to take data security more seriously.
Also, both regulations require organizations to ensure that their third-party service providers exercise due care to protect personal information. Because of these provisions, other businesses are now requesting their service providers become compliant, System Experts' Mackey says.
Further, because of the regulations, dealing with business partners on a day-to-day basis may cause an organization to have to make statements about their compliance status, he says. Consequently, compliance may be the differentiator that causes an organization to lose business to another company, making data security and compliance a business issue.
“If organizations aren't aware of what should be driving their security, this is probably the biggest motivation they should have,” Mackey says. “They should be securing data first, but if they are looking for business justification, it's likely that a customer or partner will ask about their security program. If it hasn't happened yet, it will in the future.”
But despite organizations being subject to greater pressure to get into compliance, some say the impact of HITECH – which imposes new breach reporting rules, stricter requirements and larger fines – has been minimal thus far. Others say industry and government mandates are actually contributing to weak data security practices.
“Some health care organizations remembered that HIPAA exists and started doing a little bit more,” says Anton Chuvakin, a computer security specialist and principal at Security Warrior Consulting. “I've not seen a tidal wave of compliance as a result of HITECH.”
Case in point – shortly after the law went into effect in late September 2009, Dartmouth College researchers searched file-sharing networks and found five separate files that appeared to qualify as major breaches under the new HITECH rules, each containing the personal health information (PHI) of more than 500 individuals, says Eric Johnson, a Dartmouth College business professor, who headed up the study.
One such document contained detailed monthly case logs about several hundred mental health patients over a two-year period. Another file contained insurance information for more than 7,000 individuals, including personally identifying information, the name of patients' physicians and dates of service. One more spreadsheet included insurance and employer information along with diagnosis codes for more than 16,000 patients. Together, the five files contained sensitive PHI of more than 28,000 individuals.
“We conclude that health care organizations still have a long way to go in securing PHI,” Johnson says.
Regulatory compliance mandates, which are still the primary driver for information security at most organizations, force companies to achieve some level of data protection, but also can contribute to a false sense of security among CEOs and other senior leaders, says Andy Willingham, information security officer at a large financial services company, and author of the Andy ITGuy - Information Security Blog. Executives may believe that if the company implemented the basic security technologies and passed an audit, the organization is secure, he says. They may not understand that information security is a continuous process.
“If they don't realize the importance of protecting their data and assets completely, they are only going to do just enough to keep the auditors and regulators happy,” he says.
Regulatory audits provide a snapshot-in-time view of an organization's security posture and it's possible to fall out of compliance, Chuvakin says. But some organizations expend all their resources getting compliant and don't expend any to stay that way.
According to a 2009 Verizon Business study, 19 percent of organizations which experienced a data breach in 2008 had been found in their last assessment to be compliant with Payment Card Industry Data Security Standards (PCI DSS), a set of requirements created to help retail organizations protect cardholder information.
“A lot of folks are either lying or delusional about their compliance status,” Chuvakin says.
Even worse, many organizations are still not even attempting to address mandates that have been around for years, such as PCI DSS, Chuvakin says. Though it has been around since 2005, PCI DSS is still deemed a new regulation to many small merchants.
“I've met more than a few people who address PCI as a new mandate,” he adds.
The latest PCI compliance statistics, released by Visa in April, vaguely state that only a “moderate” amount of “level four” merchants, or the roughly five million small businesses that process less than one million transactions annually, have been validated PCI compliant. Additionally, compliance rates were also listed as moderate for “level three” merchants, a classification designated for the more than 2,500 online retailers that process 20,000 to one million transactions annually.
Bob Russo, general manager of the PCI Security Standards Council, says that many small merchants simply do not know a thing about PCI.
“It's an education issue, not so much of an issue of them not being able to do this,” he says. “Everybody, from the largest merchant to the mom-and-pop pizzeria, has to be concerned about security. Literally, you could go out of business if something goes wrong.”
Experts say it's the job of information security professionals to help their CEOs and senior leaders understand why information security should be an important part of the company's goals. If a security effort does not have support from the top, it's not going to be as effective as it needs to be.
Richard Snow (left), director of information technology at Mount Auburn Cemetery in Cambridge, Mass., said that he had been talking about PCI compliance for about two years before actually undertaking an effort to meet the requirements set forth in the standard. The initiative actually came to fruition about a year ago when the nonprofit, national historic cemetery started receiving pressure from its merchant bank to get into compliance.
The letter prompted an effort to meet not just PCI's security rules, but also Massachusetts' new data security regulations, says Snow, who solely makes up the organization's IT department. For staff at Mount Auburn Cemetery, the process of getting into compliance with the two security mandates necessitated writing new policies, a process that took approximately 80 hours total. Also, all staff and volunteers had to be educated about the new security rules, the organization had to stop storing employee passwords and solicit proof of compliance from all its vendors. Also, in an effort driven by the Massachusetts legislation, document-retention practices were reevaluated, resulting in the shredding of volumes of old paper records, some of which dated back to when the cemetery was formed in 1831.
Fast forward to the present day and Snow says the security mandates have ultimately been extremely beneficial.
“It's a change in culture, but the staff and volunteers have taken it very well, and I found it was a really good experience to do training sessions for staff to raise awareness for security issues,” Snow says.
The organization, however, still uses some software that relies on shared accounts, which must be eliminated to achieve PCI compliance. “We're working on it, but we're not completely there,” he adds.
Snow understands, however, that compliance is a moving target. “The next thing on my list after we actually achieve compliance is to go back and revise policies,” he says.
What's to come
Looking ahead, information security professional can expect even more changes to industry and government rules and mandates. The PCI Security Standards Council plans to issue new revisions and versions at the end of October, including a new version of its Data Security Standard (DSS). By all accounts, the new DSS version will be a minor change, containing a number of clarifications, but no additional requirements, experts say.
“It's looking like it won't add any additional requirements,” says Bob Russo, general manager of the PCI Security Standards Council. “It's mature. It has been around for a number of years at this point.”
Additionally, other industries will most likely get stricter mandates in the future since a number of regulatory policies in place today are due for revision, says Ken Liao, product marketing manager at security firm Proofpoint. Experts also say the recent onslaught of state data security laws is only an indication of what is to come in the future as other states are encouraged to adopt similar statutes.
“I'd hope the regulations are there to motivate people to do the right thing,” says Anton Chuvakin, a computer security specialist and a principal at Security Warrior Consulting. “If you do the right thing, then you won't have to worry about the regulations.”