January 26, 2015

Cybersecurity Taking Center Stage as ICD-10 Implementation Nears

By

Call 2014 the Year of the Hack.

There were cybersecurity breaches at major retail chains such as Home Depot and Target, resulting in the release of personal information and credit card data belonging to tens of millions of people. There were internationally renowned celebrities who had their iCloud accounts illegally accessed, leading to many of their most private, risqué photos published online without their consent. There was even Sony Pictures Entertainment having a major motion picture release postponed and ultimately altered significantly thanks to cyberattacks coming from overseas.

 

What flew under the radar to some degree, at least in the national media, was when suspected Chinese hackers swiped medical records and other information from approximately 4.5 million patients of Community Health Systems, a company that manages about 200 hospitals in nearly 30 states. But industry experts who spoke during the most recent edition of the Talk-Ten-Tuesday Internet radio broadcast said this could be just the beginning.

“I’m sitting here looking at the original HIPAA security rule, and believe it or not, it was published in 2003 – Feb. 20, almost a dozen years ago. And that was the rule that set out the requirements for protecting health information that’s held by providers and health plans,” said healthcare IT expert and Nachimson Advisors Principal Stanley Nachimson. “So it’s not like protecting data is a new idea, and it’s not like the industry does not have any guidance or has not had a substantial amount of time to protect data. We shouldn’t even be talking about this, I believe, anymore. We should have had data protection in place.”

Many providers already do. But in many cases, it’s inadequate, speakers explained. And when federal regulations governing how healthcare is delivered are in a near-constant state of flux, concerns over that often kick cybersecurity lower on providers’ lists of priorities.

“I think what’s happened is that data security and privacy has taken sort of a back seat to the need for implementing electronic health records, implementing administrative transactions, and implementing big changes like ICD-10. It’s a secondary thought rather than a primary thought,” Nachimson said. “I believe that the industry has plenty of guidance, plenty of ideas for how to do it; it’s just a matter of focusing the attention on data security. And I think recent events that we’ve seen, like the hack at Sony and all of the issues where people’s financial information is being hacked, is something that’s going to be raising the awareness.”

Nachimson didn’t downplay the seriousness of last summer’s hack of Community Health Systems, but he did suggest that a larger incident could be forthcoming.

“Although we’ve had plenty of healthcare breaches, I don’t know that they’ve really focused the attention of people – but once I think there’s a serious breach that someone recognizes the harm that can be caused, I think you’ll see more … on the security of healthcare information,” he said.

If that happens around the time ICD-10 is being implemented, there’s no telling what chaos could ensure. Juliet Santos, ICD-10 principal and head of professional services at Leidos Health, said providers need to start thinking about cybersecurity and ICD-10 as complementary notions.

“For me, it (cybersecurity) really makes me think about ICD-10 testing, from a standpoint of what I do day to day but also as a provider,” she said. “Security (for some providers) is typically viewed as routine and nothing to worry about, so hacks are considered to be part of day in the life of an organization. When I speak to other healthcare organizations, interestingly, testing for security, including security of their test plans and even in their committees, these (tasks) are typically not done.”

Santos labeled last year’s breach as an opportunity to “take a pause and reassess.”  

“With the widespread adoption of electronic records, ICD-10 testing, and all of the other upgrades that we’re doing, we’ve really become more vulnerable to intrusion than even the retail or financial services,” she said. “Again, this was 4.5 million patients, with their names, addresses, birthdates, telephone numbers, social security numbers – all stolen.”

Santos advised providers to add staffers to their security teams who have specific focus on cybersecurity – and to ask a few look-in-the-mirror questions.

“What types of data risks, if any, should we be thinking about and trying to mitigate as we roll out ICD-10? Should we be concerned about connectivity issues with external trading partners – we never were before, but should we be? Where does data security fit in as we execute ICD-10 testing internally and externally?” she said. “How can we protect and secure patients’ data amid numerous upgrades to implement federal mandates? Could it be that we’ve become passive and maybe complacent, that we simply accepted that hacks are inevitable and expected instead of proactively updating our cybersecurity and management processes? Would it be of value to have a security team to be part of the ICD-10 test team committee so they are able to guide the development of test environments and maintain the security oversight for ICD-10 projects or any other projects? Should organizations conduct a thorough review of their cybersecurity policies and procedures?”

Former United States Air Force Lieutenant Colonel Sean Murphy is a vice president and health information privacy and security officer for Leidos Health. Adding to what Santos noted, he said that when providers finally do find the time to focus some attention on cybersecurity, they often go about things the wrong way.

That pattern can be seen upon the conclusion of any large project, he said. 

“We race to get the priority implemented and then seem to come back to things like cybersecurity at the end of the implementation and say ‘well jeez, we’ve got some security breaches now, we’ve got some security vulnerabilities, what could we have done better?’” Murphy said. “We have a little bit of a tendency to … look past some of the security measures that we need to do rapidly.”

In addition to the inclusion of dedicated staffers on security details, as Santos suggested, Murphy also said providers should consider involving those staffers at every stage of ICD-10 implementation and beyond.

Nachimson added a word of caution to the advice.

“I think with the increased amount of information, folks are going to have to take a look and decide who really should have access to the ICD-10 codes – and especially in the testing process as folks, both providers and plans, take a look at testing their ICD-10 operations,” he said. “You want to make sure that you’ve got the security around here so that as you are using more and more vendors and other folks to do the testing, they understand the need for the security and the privacy of the information that they’re handling.”

 

 

Mark Spivey

Mark Spivey is a national correspondent for ICDmonitor.com who has been writing on numerous topics facing the nation’s healthcare system (and federal oversight of it) for five years.