What HIPAA can learn from PCI
The 2008 HIMSS Analytics Report: Security of Patient Data includes some disturbing findings. During the period of 2006-2007, an estimated 1.5 million patient records were compromised. Astoundingly only 56 percent of respondents in the study who had experienced a breach bothered to notify the patients involved. Why are these breaches not publicized like the credit card breaches that become major national news stories?
HIPAA in its current form fails to adequately protect patient data. There is a lack of oversight, guidance and enforcement. We must remember that the organizations we trust to protect data are not in the data protection business. Large retailers attempt to move their products and realize revenue, not build fortified walls around their data. Protecting credit card data involved in transactions is at best tangential and often contradictory to their principal business goals. We cannot expect them to voluntarily focus on data protection at the expense of revenue growth.
Hospitals are not in the business of protecting patient data either. In fact, proper access controls on data can have a negative impact on the quality of patient care. It's unfair to fault the business for focusing on its primary goal, which in this case is the efficient and effective dispensation of quality care to patients. Without guidance on how to balance opposing goals, and the oversight and enforcement to ensure that this balance is maintained, how can we expect our data to be safe?
While not perfect, the Payment Card Industry's Data Security Standard (PCI DSS) is generations ahead of any other data protection regulation. It provides clear and actionable guidance, mechanisms for assessing adherence by organizations, a system for enforcement and an ability to evolve to address real and current threats to data.
The PCI DSS is an evolving set of specific requirements that attempt to improve the overall security of covered entities. HIPAA hides behind claims of being scalable and technology neutral and provides no actionable guidance. For example, the access control standard states:
“Implement technical policies and procedures for electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4) [Information Access Management].”
How is a health care provider to determine an appropriate control -- and correct implementation of that control? Do I need an LDAP or Active Directory server, or is my home grown solution good enough? What about software programs that must run as admin? If I create a user account within my access control system for my software, would putting the password in an unencrypted configuration file be a violation?
Gray and fuzzy areas are plentiful within HIPAA and set the stage for slippery slopes. The act could be a lot clearer about what is necessary in a way that is addressable by organizations of all sizes. The PCI DSS does this by discussing types of technologies, such as stateful firewalls, without mentioning a specific vendor.
HIPAA security rules went into affect in April 2005, but the first audit was not conducted until June 2007. Rather than performing regular checks for compliance, the U.S. Department of Health and Human Services (HHS) does irregular audits on a random basis.
Annual screening would remind organizations of their commitment to data protection on a regular basis. Improvement initiatives would not be postponed when the organization knows it will be penalized in the following year's audit for not improving. Of course, performing multitudes of audits in one year is a daunting task. PCI achieves this in two ways. First, there are varied levels of inspection required for vendors at different levels. Larger organizations that store hundreds of millions of credit card transactions receive more scrutiny than a small business that processes a handful of transactions annually. Second, only trained individuals from qualified IT organizations are allowed to perform the audits. This not only ensures the manpower necessary to perform the herculean effort of auditing all credit card processing organizations, but also leverages the domain knowledge of these organizations.
Another area in which HIPAA fails to provide motivation to protect data is in the lack of consequences. If an individual is found to be inappropriately accessing information for malicious intent, then the penalties get fairly steep. But what about the organization that simply chooses to ignore its duty to protect data? An external data breach costs a health care organization much less than a data breach experienced by an organization that processes credit card data. This begs the million dollar question: Is my credit card information more sensitive than my entire medical history?
Under the PCI DSS, an organization that does not perform due diligence with respect to protecting data faces not only fines but also the loss of card-processing rights. This would be a death sentence for most vendors. Imagine an online retailer unable to take credit cards as a form of payment or an insurance clearinghouse unable to process claims. In such scenarios, both organizations cease to exist – a strong motivation to play by the rules.
Evolving with the threat landscape
HIPAA would be well served to follow a model of continual evaluation and improvement that PCI follows. Understanding that threats have shifted into the software space and away from traditional attacks, PCI recently released its Payment Application Data Security Standard (PA-DSS). Those providing the applications that process this information on behalf of the health care organizations are just as liable for the protection of that data. Does your medical billing software vendor understand the basic industry best practices for creating secure applications? If not, then why would you trust it with your patient data?
There are many worthy reasons for HIPAA's fundamental design, but the world of data protection is a very different place from what it was in when HIPAA was first codified. Given its age, it's time for HIPPA to take the lessons learned from data breaches in the last decade and make the next HIPAA version the gold standard of data protection.