By JOEL KUPERSMITH, MD
As shown by breaches of personal information on innumerable individuals over the years, our approach to IT security falls short. Recent intrusions at Sony Pictures Entertainment and Anthem Health (80 million individuals) against a backdrop of substantial losses of personal health (PHI) and other IT information previously again brought this deficiency again to public attention. According to one estimate, almost 1 billion records were stolen via 1500 breaches in 2014, a 78% increase from the previous year and a clear indication of an increasing problem. Among personal information, health records are particular targets, bringing in $20 per record versus $1-$2 for a credit card and surveys consistently show considerable public concern about the privacy of PHI.
In a recent commentary, David Brailer proposed that raised security standards for health information be one of four principles underlying new privacy legislation. I strongly agree and would add a specific step to apply this principle – privacy accreditation for health data custodians.
Whether the information is stored for care, insurance or research, the public lacks understanding of the complexity of their stored PHI and the large number of individuals with access to or custodial responsibility for it. There is thus a wide gap and power differential between data providers and those who hold enormous amounts of sensitive health data. This circumstance creates a need for an empowered intermediary to act on the public’s behalf, i.e. an accreditation body.
I would advocate for a new IT health privacy accreditation body. It should be a non-profit entity, jump-started by legislation and funded via fees buttressed by a congressional appropriation with a three year sunset. It would evaluate data security measures comprehensively, in particular technical and personnel matters, including data-sharing procedures, encryption or equivalent, etc. It would then confer accreditation and as such formally interpret, maintain, apply, enforce and in certain cases set privacy standards. It would have similar processes as analogous entities, such as The Joint Commission and should be adaptable to the many and constantly changing technical and procedural details involved with securing data in a shifting terrain.
Accreditation would apply to hospitals, insurance companies, health plans, research centers and others who hold at least a certain number of health records (to be determined). The accreditation body would conduct periodic announced and unannounced site-visits and audits with graded outcomes and there would be an appeals process. To give the body teeth and similar to other entities, its accreditation should be necessary for federal funding (Medicare, NIH). Conflicts of interest within the body would be addressed by policies and by a balance of competing interests including a spectrum of relevant stakeholders (corporations, patients, healthcare professionals, researchers, privacy experts, etc.) in its Board of Directors.
At present corporate responsibility primarily governs IT security. The Office of Civil Rights provides federal enforcement and penalties via responding to complaints and state governments also play a role. However, these entities do not act as accrediting bodies. Making privacy more a part of other accreditation reviews would not provide a sufficient concentration of expertise focused on the complexities of IT security and certification in specific areas does not address the overall problem.
Perhaps the major concern for a new accreditation process is that it would saddle healthcare entities with yet another bureaucratic step and still more site visits, audits and reviews. It would likely cause dismay and considerable (appropriate) discussion. The healthcare system is burdened enough though an additional, detailed process seems necessary to meaningfully upgrade IT security.
Also, no audit can guarantee perfect and complete security. A favorable audit could be followed by a breach. But the process, with mechanisms for self-improvement, would make such breaches far less likely. While technology can change very quickly (including between audits), accreditation reviews would determine if the data custodian has the personnel and technical capacity to keep abreast of and deal with rapid changes. Warning signs preceded the large loss at Target and a smaller breach of personal information preceded the later Anthem loss. Accreditation reviews would have noted both occurrences.
In conclusion, the privacy of health information has been considered a personal right since Hippocrates. Despite surveys showing strong concern about health privacy in the general population, our culture may or may not still be serious about its maintenance. If it is, preserving privacy will not come easily. Privacy accreditation of healthcare data custodians seems an achievable way to address this monumental and labyrinthine problem.
Joel Kuppersmith led research efforts at the VA as Chief Development and Research Officer. He is an Adjunct Professor of Medicine at Georgetown.