Report: Better Regulator-Provider Communication Could Help Prevent Breaches
Healthcare privacy breaches could be better prevented if regulators were more transparent about investigations and their outcomes, if communication were better between regulators and providers, and through greater adoption of cyber insurance, according to a new report.
Researchers at the Brookings Institute completed interviews with 22 providers who had been listed on the US Department of Health and Human Services Office for Civil Rights’ (OCR) Wall of Shame, an online database of HIPAA-covered entities, including 16 providers, two health plans, and six business associates. In addition to being named on the notorious website, all of the organizations were subject to an investigation and audit by OCR.
In a report based on the interviews, investigators wrote that one reason that health data breaches have become so common is that OCR doesn’t share investigation findings that would illuminate how some breaches happen.
Last year’s Anthem breach is one example.
“After more than a year since the incident, OCR is still investigating and no one except Anthem and OCR (and of course the hackers) knows how it happened. Even after OCR finishes the investigation, it only announces its final decision about a penalty or settlement,” the authors wrote. “This leaves the health care community wondering if there are other payers with similar security vulnerabilities in their networks. By keeping this information private and depriving others from the opportunity of proactively addressing their similar security weaknesses, OCR is unintentionally helping hackers to attack other payers with the same method and through the same unknown weak links that they used to attacked Anthem.”
Additionally, several of those organizations who underwent breach investigations found OCR’s process to be long and punitive. While respondents told researchers that the investigations and feedback from OCR helped improve their own privacy best practices, they felt they were being punished.
“The current way in which OCR handles the breaches is very similar to how the health care industry was treating medical errors decades ago, rather than having a systematic approach to identifying the root causes of breaches and trying to address them, OCR focuses on individual instances and only blames and penalizes victim organizations,” a non-profit vice president told investigators. “The system is not open and even the reporting is not transparent. Health care has matured and does not follow its old approach anymore, but OCR is still doing the same thing. The system should be nonpunitive, open, and transparent, and focused on error identification rather than blaming individuals.”
Finally, study authors concluded that cyber insurance will soon become as important as malpractice insurance is today.
“Since they have a direct business incentive to better evaluate their clients’ cyber risks, they will design very detailed and prescriptive policies and go far beyond HIPAA to the extent that the outdated law will become obsolete,” the authors write.