How do we keep unprecedented volumes of highly sensitive data secure?

By Susan DeGrane

By extending healthcare insurance to people not previously able to afford it, the Affordable Care Act inundated insurers and healthcare providers with unprecedented quantities of new personal data and health information. The act also mandated “meaningful use” of electronic medical records by public and private healthcare providers by 2014. This opened the floodgates for additional electronic transmission of personal data and corresponding threats to privacy and security protections already guaranteed by HIPAA, the Health Insurance Portability and Accountability Act.

Trexin Consulting, a technology consulting firm, has a name for the virtual tsunami of data and corresponding obligations for its safe handling — “disruptive change.” However ominous that may sound, this also means that untold threats also hold countless opportunities for new business.

“This is not a Steven Jobs iPhone moment,” says Glenn Kapetansky, chief security officer for Trexin, which serves clients in several industry sectors, including healthcare. “It’s more like several dominoes falling all at once. … If we were drowning in data before, now it’s gone way beyond that.”

The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) is responsible for the administration and enforcement of HIPAA privacy and security rules. It posts security breaches among healthcare providers serving 500 or more patients. These postings have been dubbed by those in the security industry as “the wall of shame,” says Jan Hertzberg, a director at Baker Tilly, an accounting firm and technology risk services practice.

Breaches related to healthcare personnel using and losing zip drives and laptops seemed to dominate earlier postings. In 2014, however, the terms “theft,” “electronic medical record” and “network server” appeared with greater frequency.

Increased vulnerability to identity theft seems to be a given. “Obviously, the more stuff you put out there, the greater the likelihood of problems,” says Hertzberg, who has specialized in HIPAA-related security and privacy risk management for more than 15 years.

And there’s no getting around putting the information out there. Now, in order to qualify for full Medicare and Medicaid reimbursements, healthcare providers not only must show proof of meaningful use of electronic medical records (EMR) and electronic health records (EHR), they also must demonstrate “that they are doing everything possible to protect personal data,” Hertzberg says.

Many people automatically assume that the government now requires encryption of data, but that’s not the case, he says. That’s because many smaller healthcare providers — individual doctors’ practices and clinics — cannot necessarily afford it. Even so, Hertzberg says, “If you do use encryption, it provides a safe harbor. If you have a data breach and you have encrypted the information, you don’t have to report it.”