Ann Fishman, with EHRtv, interviews Aaron Titus, Chief Privacy Officer of Identity Finder.
Ann Fishman: Hi. I’m Ann Fishman at HIMSS 2012. I’m with Aaron Titus who is the Chief Privacy Officer of Identity Finder. Aaron, tell us your expertise and what you’re doing at Identity Finder.
Aaron Titus: I’m an attorney. I specialize in information privacy law. And at Identity Finder we help to find and secure protected health information and PCI data.
Ann Fishman: For people who don’t really know and don’t have the background, can you explain what the basic legal and regulatory environment is starting with HIPAA going to HITECH to protect protected health information?
Aaron Titus: So everyone has heard about HIPAA, and when I talk to healthcare professionals they say well, we have HIPAA so we’re safe. And that’s not entirely true. HIPAA is a regulatory framework that encourages interoperability of insurance codes. As a part of that, there is a subset of HIPAA called the Privacy and Security Regulations that were enacted under— is regulations—under the authority of HHS, that gives regulations on how personal health information should be protected. It applies only to covered entities which are for example, hospitals and other health related organizations. So ironically, if I give my blood pressure to a doctor, that is protected health information. If I give my blood pressure to myonlinedoctor.com, it is not covered under HIPAA, because the website is not a covered entity.
Ann Fishman: Explain the business associate component of the liability.
Aaron Titus: Any company, organization or individual doing business with a covered entity, or doing work for the covered entity is subject to the same protections and same liabilities as the covered entity through a business associate agreement. And so, if I were to do work for a hospital in which I would receive protected health information, I’d enter into an agreement with the hospital saying I agree to be bound by all of the rules and regulations of HIPAA and HITECH.
Ann Fishman: So take us to 2012. What do you see in your work in analyzing security breaches as a current state of affairs? How secure is the information?
Aaron Titus: You know everybody talks about diamonds being forever. But in my experience, data is forever. And once you put information on a hard drive, it never goes away. What we find is that information is often in secured databases but then healthcare professionals, hospital managers and health information system managers will pull the information out on a regular basis to run weekly reports, do patient analysis, financial analysis, and all of those copies are placed on hard drives and excel files and Word documents and sometimes emailed among doctors. They sit like land mines on laptop computers and desktop computers waiting to become a breach. Those are the forgotten copies that are the source of so many breaches. In fact, in 2011, of all the reported breaches to health and human services, every single one of them were data at rest stored information that was lost or inappropriately used.
Ann Fishman: On a daily basis, how many breaches do you find?
Aaron Titus: Well we monitor hacking websites and other online breaches. On any given day, I find 5 or 6 breaches that are online, not to mention the ones that we never hear about. And most of the breaches never make headlines. It’s a… There’s an ongoing movement within the hacker community called AntiSec. And within the hacker community you have the Black Hats which are the really, really bad guys. The criminals. You have the White Hats, who are the good guys who learned how to hack to protect against the bad guys. Then you have what we call the Gray Hats, and they’re the guys who want to do the right thing but aren’t opposed to using some technically illegal methods to reach perhaps a good result. The AntiSec Movement is in the Gray Hats and the Black Hats, where the Gray Hats say I am so tired of the abysmal state of technology security that I’m going to break into the system and expose all of the internal data in an effort to embarrass the organization into doing security right. Then you have the Black Hats on the other extreme who say I’m just going to break into it to sell it and cause havoc and be a criminal.
Ann Fishman: What about the EHRs that we have here at HIMSS? Do you think most of them are able to adequately ensure that patient data is protected?
Aaron Titus: You know, ironically, analogue information is inherently more secure than electronic records. Technology makes everything more efficient, including breaches. So whereas a healthcare breach… Let’s say you take a paper record and you put it in the dumpster. That is a one to one, a single point data breach, where only one person at a time can read that piece of paper. And it can only exist in one place. Now that we have electronic health records breaches are astronomically more efficient. And you can post, accidentally post electronic health records online and now they’re available to millions or billions of people at a time.
Ann Fishman: What do you do at Identity Finder to solve this problem?
Aaron Titus: Companies, healthcare professionals will reach into the secured database and export information in excel files and then forget about them. And they’ll be on laptops and emails. What Identity Finder does, is we search your entire networks, all of your network, every database servers, email servers, file servers, personal laptops, company desktops and we will locate all of the locations of sensitive information – CPT codes, ICD-9 Codes, ICD-10 codes, social security numbers, passports… And we’ll give you the tools to encrypt it, destroy it, redact the information or quarantine it. A lot of the administrators like the quarantine feature because you take it out and you can leave a little text file that says, hey guess what? If you want your file, I’ve got it but come, talk to me.
Ann Fishman: Well it should be mandatory, by law. Your service it’s very good. Any parting words for us?
Aaron Titus: HIPAA doesn’t make you safe. HIPAA is not security. Even compliance is not security. Security is the interaction of human and technological systems. And you should be aware of any vendor that tells you that if you use my software or my service, you are HIPAA compliant. Because you cannot … Compliance is more than technology and it’s more … It involves humans.
Ann Fishman: Well we have a lot to think about. Thank you. I’m with Aaron Titus, at HIMSS 2012.