Breach Leads to Change in Culture

Breach Leads to Change in Culture

A breach that resulted in a $1 million HIPAA settlement led Partners Healthcare in Boston to take many significant steps, including merging its privacy and security efforts, says CISO Jennings Aske. More changes are planned for 2013.

Aske now oversees both information security and privacy at Partners, the integrated delivery system that owns Massachusetts General Hospital, which was penalized for the breach.

"We as an organization have come to the conclusion that the privacy and security programs we built for the initial HIPAA compliance aren't really sufficient for the sorts of threats we deal with now the changes in the regulatory regime, the active enforcement we're seeing from regulators, the obligation to secure patient and research data," Aske says.

"So to that end, we decided to merge our approach with security and privacy and really create a functional unit. Building up that privacy and security as a unit that's combined is one of our responsibilities and goals for next year."

A primary trigger for the change was the $1 million HIPAA breach settlement between Massachusetts General and the Department of Health and Humans Services' Office for Civil Rights in February 2011. The case involved a March 2009 incident in which a hospital worker left on a train paper records for 192 HIV/AIDS patients. In addition to the monetary settlement, the hospital agreed to a corrective action plan that includes reporting results of internal compliance assessments for three years to OCR and also conducting extensive employee training.

A Lasting Impact

The breach has had a lasting impact on the organization, Aske acknowledges in the interview, which came following a presentation at the HIMSS Privacy & Security Forum in Boston on Dec. 13.

"It's led us to have really meaningful conversations with management about the need to ramp up our security and privacy programs," he says. "It's led to cultural changes where people are now self-reporting incidents."

The goal, Aske says, is to make privacy and security top-of-mind issues.

"The reality is that in healthcare, in busy academic medical centers, people work with lots of data, they work fast and furious trying to treat patients, and mistakes happen people lose devices, the paper gets left places," he says. "But I've seen a cultural change from the top down, in terms of trying to be compliant, reporting incidents, and being transparent about our needs to secure the environment."

"The reality is that there is no single message that resonates with all the actors across an organization," he says. "The reality is that a lot of clinicians view privacy and security as an impediment to care." As a result, it's essential that security professionals explain to clinicians the roles that confidentiality, data integrity, and data availability play in patient care, he adds.

"It's powerful to say to clinicians that if these controls are not in place, data may be modified by an unauthorized person or it may not be available," he says. "That's more powerful than talking about passwords and who can access things"