Ann Fishman, with EHR TV, interviews Mac McMillan, CEO of Cynergistek.
Ann Fishman: I’m Ann Fishman at HIMSS 2012 with Mac McMillan from Cynergistek, co-founder and CEO. Mac, thank you very much for joining me.
Mac McMillan: Well, thanks for having us.
Ann Fishman: Mac, can you just explain the basics of the requirements or regulatory environment on–– for security to protect protected health information under HIPAA and then under HITECH.
Mac McMillan: Okay. So under the–– under the basic HIPAA Security Rule, you had basically three sets of requirements. You had administrative requirements, physical requirements, and technical requirements. And it pretty much run the gamut of basic security requirements around the protection of data and the securing of the system environment that the data was in. So think of it this way, anywhere where there is protected health information, right, patient information, any system that has patient information stored in it or that processes it or that transmits it in some way has to be protected and has to meet the various requirements under the HIPAA–– HIPAA Security Rule. Okay?
Ann Fishman: Is there a difference between what is required for PHI that is transmitted electronically as opposed to PHI that is not transmitted electronically?
Mac McMillan: But, but still transmitted in some manner?
Ann Fishman: Yes.
Mac McMillan: Of course. So if you have protected health information that’s going to be transmitted over an open network which means through the Internet, that transmission is supposed to be encrypted. And there are two reasons for that. One reason is to ensure the integrity of the message. In other words that the message you sent is the message that was received; the data was not somehow corrupted or altered in some fashion. And then the second reason is so that you can actually authenticate who’s actually receiving that information so that the person who receives it is the person who’s capable of de–– de-encrypting it.
Ann Fishman: Explain who is covered as in who is the covered entity under HIPAA and HITECH and who is also covered or liable under these rules as a business associate.
Mac McMillan: Okay. So under–– under the basic HIPAA Security Rule, you had three covered entities. You had providers – hospitals so to speak, physician practices; you had payers – insurance companies, people who handle claims and insurance; and you had clearinghouses – people who actually handle the process or the transactions between providers and the–– and the–– and the payers if you will, alright. Under–– under HITECH, the business associate–– business associates under–– under the HIPAA, the HIPAA Security Rule were not covered, we’re not covered in these. So HIPAA Security did not–– the basic HIPAA Security Rule did not apply to them as it did to the covered entities. So in other words, the government didn’t have a statutory foundation, if you will, to enforce the law on business associates which is one reason why you had to have a business associate agreement as part of your contract so that a covered entity could take legal action against the business associate if they caused a breach or did something that they shouldn’t do, right.Under HITECH, businesses–– HITECH applies the HIPAA Security Rule, the HIPAA Privacy Rule, etcetera to business associates just like it applies to covered entities. So now any company that provides a service to a covered entity and handles protected health information as part of that service is responsible under HIPAA just like the covered entity is. And the actual specifications of their responsibility will be coming out shortly when the Omnibus Rule is released or the revision to the original HIPAA Security Rule.
Ann Fishman: So if you are providing a cloud-based EMR, you would be a business associate with direct and primary liability under HITECH? Is that correct?
Mac McMillan: Correct.
Ann Fishman: So do you think that––
Mac McMillan: Although there is–– there are some who debate that. There are some who tried to utilize the conduit provision, or the conduit exemption in HIPAA to say, “We only host the data. We only let the data flow through. We don’t really touch the data.” But the conduit provision was never–– it was not designed for that purpose. And anybody who hosts a clinical system or a host protected health information and has access to those systems at their location is a business associate.
Ann Fishman: Can you talk about what kinds of penalties are imposed for the breach under HITECH?
Mac McMillan: So it could be a number of things depending on the type of breach it is and what they discover in the investigation. In other words, was it a–– was it a mistake or something that occurred that was not–– something they could control, for instance? Let’s say an organization contracted a malware virus that there was no known signature for, right; that had the capability to collect data and transmit it out of the network. That type of situation may le–– might–– might lead to a breach but even with all reasonable precautions, there was no way that the organization could have prevented that or possibly prevented that, right? So in that scenario, it’s not likely that they would get a fine. It’s likely that they would just be given an opportunity to correct the situation or to remediate as best as they can.If there is reason to believe that the organization has not taken proper precautions, has not taken reasonable steps to protect the environment and has a breach, then they could ha–– they could suffer fines up to a million and a half in financial penalties but if there is willful neglect, or if there are some criminal behavior associated, it could actually get referred to the Department of Justice for criminal prosecution.
Ann Fishman: To the best of your knowledge, has that happened yet?
Mac McMillan: We have had a few instances of individuals who have been prosecuted and who have actually received jail time as a result of a HIPAA violation.
Ann Fishman: I don’t know if you want to speak to this, but under HITECH, is it easier to sell patient data?
Mac McMillan: (Laughs) HITECH doesn’t make it–– well, I think what you’re referring or maybe referring to is under HITECH, we’re–– we’re–– we’re pushing everybody to adopt electronic health records. But the theory is that once all the data becomes digitized, it becomes much easier to get access to it, that is not necessarily by default, true, right. So as long as organizations take the right precautions, having the data digitized or having the data in electronic form should not make it any less risky than if it’s in paper form. And in fact, when you look at the breaches that have occurred we still have more breaches in terms of number from paper-based PHI than we have from electronic PHI.And in fact, when you look at the–– when you look at the breach statistics in toto, in terms of folks who hack into a network and actually get access to the data and steal the data that way, that accounts for less than 6% generally of all the breaches that we have. Your biggest two categories of breaches are loss of paper and then theft or loss of a physical asset. And, but the difference is that when you––typically one that is a paper-based breach, there’s not a lot of information. When there is a lost asset like a laptop, a thumb drive, a disk, a CD, etcetera, that’s where we have the really big breaches. So the theory is, of course, that by taking all these information, pulling it out of the old fashioned folders that used to be on the–– on the shelves with the colored tape and putting it in a digitized form makes it much more accessible and much more easy for somebody to get their hands on and potentially steal or lose or what have you or mishandle. And what it really is, is I don’t think that it’s necessarily easier for that to happen but the outcomes can be much more serious because like in the old days, you would have had to have driven up a pickup truck and stolen a whole lot of files to get any–– any–– any volume of information. Whereas today, you stick a thumb drive in an unprotected system and you can walk away with 10,000 records. So it’s really the magnitude of the breach that occurs with the digitization.
Ann Fishman: From a technology standpoint, are all EHRs created equal? And by that I mean, are they all on level playing field when it comes to what tools are available to secure data or are some better than others?
Mac McMillan: Well, they’re not all created equal in the sense that they have different set–– they have different models. You have some EHRs that are fully-integrated from MDN. You have other EHRs that are composite of several systems. Anytime you have more than one system or you have a–– have a–– have a hybrid model, it–– it increases the risks or the security risks associated with that because now you have more things that you have to essentially secure to include the communication back and forth between the components.Whereas for the fully-integrated–– fully-integrated system, it’s much easier for me to track the data and track what users are doing in the data from where it’s created to where it–– where it comes out the other end. Does that make sense?
Ann Fishman: Yes.
Mac McMillan: But with respect to the systems that, that formed the ecosystem around the EHR, they are all pretty much created the same in the sense–– sense of what’s available to secure them or secure the environment around them.
Ann Fishman: Tell me what you’re doing at Cynergistek?
Mac McMillan: At Cynergistek, we basically help hospital, not just hospitals but anybody in, in the healthcare industry be it providers, business associates, etcetera, understand what their compliance requirements are, understand where they are with respect to privacy and security, and then how to build a program that will allow them to not only protect the data properly, but to meet their compliance requirements. And one of the things that we focus on at Cynergistek is not just the confidentiality aspect of security with respect to healthcare data because there’s a lot of attention given to the data. There’s a lot of attention given–– given to the system and we–– we tend to overemphasize the confidentiality aspect of it or the privacy aspect of it. And we seem to forget or we tend to forget that there’s a patient safety aspect to this as well.And that’s the part that worries me the most because whereas I don’t want to lose somebody’s record, I don’t want to expose somebody’s private information, it would worry me–– that doesn’t worry me near as much as somebody potentially harmed because either the data in a system is corrupted somehow or a system is not available when it’s–– when they need it, in term–– when they’re delivering care, or when a system is somehow interrupted as we saw at the Black Hat and DEFCON conferences this year where they actually talked about the weaknesses in various health systems like MRIs, CT scanners, healthcare clinical decision support systems, or you had guys who actually demonstrated hacks, or they were able to interrupt the signals going to a heart monitor or to an insulin pump, alright. When you start talking about affecting medical devices that are connected to people, you’re talking about patient safety now. You’re talking about quality of care. And that’s much more important than protecting their privacy. They’re both important but I’m much more concerned about your health than I am whether or not your data was compromised.
Ann Fishman: Well, since you’ve brought it up, Mac and since we all are always hearing about potential cyber attacks coming from all kinds of places, are we at more risk if we are som–– if our health depends upon the grid not being interrupted and we’re living in an environment where potential enemies overtly say they want to cyber attack us. Where are we going with this?
Mac McMillan: (Laughs) Well, obviously I am not in the government anymore, so, but I know there’s a lot o people that are putting a lot of thought into cyber defense and in our nation, we have new commit–– new organizations in our government that are literally focused on this problem and I know that folks are paying a lot of attention to that. I’ll tell you though in healthcare, if you talk to the clinicians, the doctors, and you ask them, if you lost the system, what would you do? They’ll tell you, “We’d still operate. We’d still take care of the patient.” And I have much more faith in them taking care of me, them doing it directly.What I worry about is when they have the system and they think the system is functioning properly and something is wrong in the system that they are not aware of and they get–– given the wrong information and they make a mistake as a result of relying on the system, which if they didn’t have the system, they would rely on their–– on their own judgment, right? So when you start using systems to support processes, that system has got to be accurate because if it’s not, we were–– we tend to become reliant on those tools, right? Now, there are checks and balances and certainly, anytime that the primary caregiver is responsible ultimately for whatever he or she does with the patient and they’re very conscientious about that, obviously. But that’s what I worry about the most. Things like–– things like data being corrupted, things like information being wrong with respect to, to allergies or medicines, or that sort of thing. If somebody corrupts the data somehow or affects the system or if we’re talking about a medical device, like I said, that’s actually connected to you, that’s doing something for you, and I interrupt that signal and caused that insulin pump not to give me the insulin that I need when I need it, or maybe to give me too much when I don’t need it, it could–– it could impact me directly, right? So we’re using systems more and more in healthcare today and those systems need to be reliant. They need to be–– they need–– the integrity needs to be there on that system.
Ann Fishman: Mac, thank you so much. This is Ann Fishman at HIMSS 2012 with Mac McMillan from Cynergistek. Thank you.