Brookings report asks OCR to share data breach findings

After investigating data breaches within healthcare organizations, the Office of Civil Rights (OCR) should provide detailed reports to other companies to prevent similar attacks, recommended a report written by Niam Yargahi, a fellow at the Brookings Institute’s Center for Technology Innovation.

Yargahi spoke to “key personnel” at 22 different hospitals, insurers and healthcare industry businesses that have experienced a breach within the last two years. While the report admitted it’s unlikely that organizations recently investigated by OCR would have a positive view of the agency, interviewees felt OCR’s process should be more about finding ways to prevent future breaches than punishing organizations that have been hacked.

“The current way in which OCR handles the breaches is very similar to how the healthcare industry was treating medical errors decades ago,” said one vice president of a nonprofit health provider in the report. “Rather than having a systematic approach to identifying the root causes of breaches and trying to address them, OCR focuses on individual instances and only blames and penalizes victim organizations. The system is not open and even the reporting is not transparent. Healthcare has matured and does not follow its old approach anymore, but OCR is still doing the same thing. The system should be nonpunitive, open and transparent, and focused on error identification rather than blaming individuals.”

Communication was cited in the report as a key ingredient to protecting healthcare organizations from the increasing number of attacks by hackers. Beyond better communication from OCR to the industry, Yargahi recommends organizations talk to each other about best practices for protecting data.

“Larger academic hospitals and other organizations, such as CHIME and AHA, should collaborate with smaller hospitals and share their best practices with them,” said the CIO of one academic hospital. “This will also help smaller hospitals with justifying the expenses of implementing similar technologies and policies. Also, maybe larger hospitals could provide technical and financial help to the smaller ones who are a part of their medical group to help with security and privacy.”

Another hospital CIO said his organization has benefitted from sharing information, such as suspicious IP addresses, when hackers try to gain access to prevent the same groups from attempting to do the same to others.  

Other recommendations from the report included:

  • OCR should establish a universal HIPAA certification system and conduct more random audits;
  • Healthcare organizations should invest in cyber insurance;
  • Organizations prioritize privacy by implementing new policies and spending more on security technology.

Technology and internal policy changes won’t completely solve the data breach problem, Yargahi said, with most interviewees citing human error as the cause of most breach incidents.

The report recommended contracting with a third-party group for annual security audits, along with testing employees by sending them e-mails mimicking what a hacker would send, and observing whether the employee clicks on suspicious links. The strategy could identify which workers need extra training.