Guest OpEd by Scott Pettigrew, Chief Security Officer at HMS

The year 2020 was one of unprecedented change and uncertainty.

Much of the world’s economy — including, notably, the healthcare sector — has gone virtual in light of the COVID-19 pandemic.

At the same time, the Centers for Medicare & Medicaid Services (CMS) has suspended or relaxed certain regulations, including some meant to safeguard protected health information (PHI).

Although the full impact of COVID-19 on data and cyber security remains to be seen, there have indeed been a number of serious healthcare data breaches and security incidents noted in 2020:

• In April 2020, a healthcare billing and recovery firm experienced a breach that exposed personal health data for more than 274,000 U.S. citizens receiving care through commercial insurers, Medicaid and the Veterans Administration.

• In February 2020, a ransomware attack against a cloud computing provider serving nonprofit hospitals and healthcare organizations compromised personal data for hundreds of thousands of patients.

• In September 2020, a malware attack on a large hospital health system in Pennsylvania affected systems used for medical records, laboratories and pharmacies for approximately 250 locations, according to a Wall Street Journal report cited by Becker’s Health IT. No patients were harmed as result of the breach; however, WSJ reported that, during the outage, some ambulances had to be diverted and some surgeries were canceled.

• Also in September 2020, a Nebraska-based health system experienced a security incident that took down its computer system and led to some appointments being postponed, according to Live Well Nebraska.

Additionally, the U.S. Department of Health and Human Services (HHS) website lists more than 375 reported data breaches in 2020 to date.

Despite these numbers, an analysis of HHS data from the cyber security consulting firm CI Security shows that reported data breaches for the first half of 2020 were actually down 10% from the first half of 2019.

Experts question, however, whether data breaches have actually declined, or whether unawareness or confusion around changing regulations is at play. As CI Security cautions in its report,

“The data shows healthcare breaches are down — but watch out for the next wave.”

Amid a sea of uncertainty, one point of clarity is that the exposure of PHI and personally identifiable information (PII) remains a top public threat.

Today, more than ever, it is critical to ensure all third-party partners with whom healthcare data is exchanged maintain stringent protocols to protect PHI and PII.

Here are a few key quality attributes states and healthcare organizations should look for in a health information technology and analytics partner to ensure unequivocal security of patient and consumer data.

1. HITRUST Certification

• Without question, the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) is the gold standard for healthcare data security and is increasingly becoming a non-negotiable for healthcare organizations in selecting third-party suppliers.

• Several major healthcare organizations, including Anthem, Health Care Services Corp, Highmark, Humana and UnitedHealth Group, now require their business associates to hold HITRUST CSF certification.

• According to the Alliance’s website, HITRUST CSF was built to address the myriad security, privacy and regulatory challenges facing healthcare organizations and is continuously evolving based on user input and ever-changing industry and regulatory standards.

• It is this comprehensiveness and scalability that makes maintaining HITRUST CSF certification year over year both a challenge and necessity.

• Ensuring your third-party partners are equipped to meet and evolve with stringent HITRUST guidelines is a key indicator of a trustworthy IT and analytics partner.

2. Healthcare Focus

• There are some companies in the healthcare data mining and analytics space for which healthcare is one segment of a much broader offering.

• Organizations that focus exclusively on healthcare understand the many nuances involved in collecting and exchanging PHI and PII, making them particularly well equipped to comply with data privacy laws and defend against potential breaches or attacks.

• When healthcare is the core business function, it not only eliminates the risks associated with having to classify various types of data, but it also makes compliance inherent to the company’s operations and service offering.

3. A Culture of Security

• With a mature and robust business continuity program in place, responding in the face of disaster is less an exercise in reactivity and more an exemplification of resilience.

• This is especially relevant in the context of COVID-19, a crisis that required businesses across all industry sectors to mobilize swiftly and securely, without interruption to their — or their customers’ — operations.

• The level of agility needed to respond rapidly and securely in a crisis isn’t something that can be built overnight; rather, it must be embedded in an organization’s DNA.

• And while having a strong and quick-to-execute crisis management plan is paramount, so too is widespread participation in the organization’s data security initiatives.

• When staff at all levels understand how their actions contribute to the larger security function — and, in the case of healthcare, the health and safety of patients — safeguarding sensitive data becomes a truly collective goal.

AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:

• Provides named sources
• Reported by more than one notable outlet
• Includes supporting video, direct statements, or photos

Subscribe to the AST Daily News Alert Here.