Quality care: justifying patients’ trust through responsible stewardship

Your data: missing in action.  It’s just like the classic movie (Chuck Norris FTW!), except nobody comes to the rescue.

If you haven’t seen it already, check out the recent loss of 800,000 records over at South Shore hospital.  It’s pretty ugly.  Apparently, the 800k records that went missing included credit card numbers, personally identifiable data, and also PHI.  Yep, pretty much the worst-case scenario.

This particularly irritates me because it demonstrates some pretty serious non-compliance with the regs.  First of all, they were in violation of PCI by failing to encrypt the PAN data.  They were also (probably) in violation of HIPAA Security.    To those of you who would point out that encryption is an addressable control, I would counter-argue that “addressable” is not the same as “ignorable”.

Addressable means that if you satisfy the prerequisites, you can make an argument that the control can wait while you prioritize other things. What are the prerequisites?  Risk analysis for one.  Documentation of the decision-making and justification for the other.  Did South Shore do this?  I suppose it’s possible.  However, as I’ve said before, I have yet to encounter a bona fide risk assessment that follows a process even slightly resembling the HHS guidance in the field.  It’s like the narwhal.  Do they exist?  Folks assure me they do.  Am I likely to lay eyes on one in my lifetime?  It’s unlikely.

Plus, keep in mind where this provider is located - Massachusetts.  They have that funky data protection law (201 CMR 17.00) there.  Now granted it doesn’t specifically require encryption for the context of the to-be-deleted files (it does for others),  but you’d think security controls would be right at the forefront of the IT docket.

Which brings me back to the point I made the other day:  what’s wrong with encrypting the data?  OK, so it’s not free.  But look at the fallout from this:  they get to wind up on the HHS wall of shame (they’re not there yet – not sure why), they get to enjoy their newfound level-1 merchant status for the purposes of PCI compliance validation (breached merchants automagically become level 1) – which means they now have to audit every year, and they also get to mail out 800,000 first-class letters. We can calculate a few “hard” costs (things we know for certain) of what they’ll need to shell out:

800,000 letters * $0.44 first-class postage = $352,000
Annual PCI Audit = ~$75,000 (annually recurring)

That’s almost a half a million dollars before we even get to the “fuzzy” numbers – like the fact that they’re likely to flunk any PCI audit hands-down their first time through (because let’s face it, level 4 merchants aren’t usually anywhere close to being where they need to be to pass).  So they’re going to need to do a full-bore remediation on PCI over there to get them to a state where they don’t look ridiculous to an auditor.  If I had to hazard a guess, I would probably peg the final number of what they’ll need to spend at upwards of 3-5 million dollars.  Guess what: you can get some pretty spiffy encryption software for that kind of spend.

My point on this is that we need a call to action.  Hospitals need to start encrypting data at rest.  I know it’s new – I know it’s not what other industries might be doing.  I know we don’t have the kind of extra dollars laying around that say a bank or brokerage might. But HITECH is a different world – we can’t just brush data loss under the rug nowadays.  It makes business sense to encrypt the data, it’s a regulatory requirement to encrypt the data, and (I argue) it’s a moral imperative to encrypt the data.  Patient care isn’t just about bedside manner, it’s also about responsible stewardship: stewardship of everything patients place in your trust – both their health and their data.