While the HIPAA act jump started the  trend towards the security of medical data, a trend that now includes many other countries,  the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law in February 2009, is taking security to new levels.  HITECH includes new privacy requirements that represent  the biggest change to the health care privacy and security environment since the original HIPAA privacy rules.

HITECH includes provisions that lower the thresholds, shorten the time lines and require more attempts to ensure that the people impacted by data breaches are truly made aware of the event.  Standing behind these changes are increased and sometimes mandatory penalties with fines ranging from $25,000 to as much as $1.5 million.  The increased fines are accompanied by more aggressive enforcement including authority to pursue criminal cases against HIPAA-covered entities or their business associates.

That last word is very key “business associates” which is also known as third party companies that also have access to the secure data.  While all the changes above add more teeth to HIPPA, by extending accountability from healthcare providers to their business associates this act also means that many more organizations are at risk of being bitten by this law!

Alertsec has written and talked about this many times, about how security does not stop at your firewall.  What your partners do matters – from lawyers, to Software-As-A-Service vendors who host your data to the company that carries your backup tapes to a vault.  The actions of your partners matter and HITECH is among a growing number of government regulations that are making this relationship crystal clear.

No doubt, the HITECH Act raises the stakes for a data breach. But regulations aside, data breaches can hurt your organization’s credibility and can carry huge medical and financial risks to the people whose data is lost. We’ve managed hundreds of data breaches and helped thousands of identity theft victims. Through this we’ve learned firsthand that compliance doesn’t necessarily equal low risk for data breach. For the well being of the business and patients, health care organizations and their partners need to take the most comprehensive approach to securing PHI.

A recent study by PriceWaterhouseCoopers, CSO Magazine and CIO Magazine (The 2008 Global State of Information Security Study) found that only 5% of data breaches are caused by malicious cyber-attacks.  In 2008, 44% of breach incidents were due to third-party handling of data. With HITECH, organizations will now be held responsible for a third party’s handling of your data.

Many of the healthcare-related data breaches that have made the news have actually resulted from weak security practices at a third-party service provider. In one instance, a medical center used a courier to transport patient files and the files were lost somewhere in transit.  The medical center was held accountable and financially responsible even if the courier was at fault.

The recommendations that are being made to health care companies to ensure they meet the HITECH standards are in fact just common sense for all businesses that house confidential data – regardless of the industry or current government regulations.  Do a risk-based assessment, thorough, risk-based assessment of practices related to your data assets that contain confidential data.  This includes creating an accurate inventory of the data you hold and all internal and external work flows where the information is used and at what stages is that data encrypted or unencrypted. You need to be sure that not only is your organization securing all the data – but all your third party associates have taken the same steps.