Printed from BusinessInsurance.com

Breach concerns rise for health care firms

Posted On: Nov. 23, 2011 6:56 PM CST

Breach concerns rise for health care firms

Hospitals increasingly need a new kind of specialist on call: data security experts.

Health care institutions are particularly vulnerable to data breaches because of factors that include stringent federal and state regulations, widespread dissemination of patient data and a growing black market for patient medical information.

At CNA Financial Corp., for instance, health care represents about 25% of the data breach insurance business written but 60% of all claims, said Mark Silvestri, Quincy, Mass.-based vp of product development and director of CNA's NetProtect.

There are steps health care firms can take to minimize breach risks (see related story on best practices).

Despite the data security challenges they face, health care institutions generally perform well, experts say.

“By and large, I think they do a good job, some better than others,” said Nicholas Economidis, an underwriter of professional liability and specialty lines at Beazley Group P.L.C. in Philadelphia. However, information that “exists in multiple forms throughout an organization,” as it does in health care institutions, is a “very difficult exposure to control,” he said.

The dispersal of that data is an issue as well. While banks tend to keep information internally, health care data is handled by many more organizations, said Tom Srail, Cleveland-based senior vp with Willis North America Inc. “The nature of the health care business requires the sharing of that same information,” he said (see related story on third-party providers).

Patrick Moylan, New York-based senior associate with Dubraski & Associates Insurance Services L.L.C., said health care institutions are increasing their Internet activity with partners that include physicians, health plans and pharmacies.

Having “more people in the line of that chain that have the potential to handle sensitive data simply increases the risk that data will be accessed by accident, or by a third party,” with the potential that it could be used fraudulently, he said.

The sheer breadth of personal information that health care institutions hold complicates the issue.

“More than any other industry, the health care industry really has all of a complete set of information security and privacy exposures to contend with,” said Mr. Economidis.

Mr. Srail said retailers may have credit card numbers and financial institutions may have Social Security numbers, but health care entities “have all that as well as protected health care information,” so “it really can be problematic for those organizations when that data is lost and troublesome to its customers.”

“There's so many ways that the information gets compromised” and “just when you think you've got it figured out, you've got a twist in it,” said Lynn Sessions, counsel at law firm Baker & Hostetler L.L.P. and a former risk manager at Texas Children's Hospital, both in Houston.

Robert Parisi, senior vp at Marsh Inc.'s FINPRO practice in New York, said, “hospitals tend to be less secure than banks, and you've got a situation that obviously can be fairly risky and financially troubling to any medical center.”

Meanwhile, a black market for stolen medical identities has developed among people who are underinsured or have no insurance, observers say.

By some estimates, medical information is twice as valuable as more traditional identity information, said Mr. Silvestri. “That becomes a motivation for the criminal element to actually target that so they can sell it to the black market,” he said.

Relatively few data breaches at health care institutions are attributable to hacking. “The majority, I'd say, are non-network events,” said Mr. Moylan. Lost thumb drives, laptops or cellphones pose a “significant risk,” he said.

What makes the problem harder to address is the complex array of federal and state laws that require notification of data breaches. On the federal level, there is the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act, which modifies HIPAA's privacy and security regulations.

In addition, 46 states have laws requiring notification of security breaches involving personal information, according to the Denver-based National Conference of State Legislatures.

“The industry has some of the strictest regulatory compliance issues” with respect to the data it collects, transits, shares and stores, said Mr. Srail. Because of health care institutions' “more intense” reporting requirements, “they actually report more than your average industry,” he said.

Ms. Sessions said HITECH's requirements make it easy to violate HIPAA. “We tell our clients it is not a matter of if” there will be a HIPAA violation, but of when; and in many situations, it is a matter of very small breaches.

Mr. Parisi said as soon as data breach notifications go out, “we've seen the plaintiffs bar jump” on the issue and introduce class action litigation, “so you're basically seeing the health care sector getting pulled in the same direction” as banks and others have gone in terms of litigation.

Federal law pulls health care institutions in opposite directions, said Mr. Srail. On one hand, it “wants health care to be open and portable and interactive” and to facilitate the process so the patient has choices in his health care with accessible medical information. On the other hand, however, “everything has to be kept secret” with no privacy breaches.

In addition, state laws, while similar, also differ from each other and federal law. HIPAA, for example, requires notification of data breaches within 60 days, while several states have a 45-day notification period, said Ms. Sessions.

Another complication is that hospitals must abide by the laws of the jurisdiction where their patient is a resident, even if it is in another state. Because the patients' resident state is the determining factor, Texas Children's Hospital, for instance, which has patients from all 50 states and foreign countries, must comply with all these jurisdictions' statutes, said Ms. Sessions.

Several states have enacted, and other states are moving toward, laws that dictate the protective safeguards that businesses, including health care institutions, must have in place to prevent data breaches from occurring in the first place, observers say.