Mac McMillan understands risk. The CEO of CynergisTek Inc., McMillan spent more than 20 years in the federal government—including time as a colonel in the Marines—before opening his IT security consulting company. He’s a straightforward speaker who uses phrases like “catastrophic failure” and is unafraid to tell long-term care providers how it is when it comes to data security, like he did today during an educational session at the AAHSA 2010 Annual Meeting in Los Angeles.
His advice was illustrated through the unfortunate but cautionary tale of Ohio Presbyterian Retirement Services. Without going into the gory, technical details, this provider, which operates several CCRCs, senior living communities and community-based programs throughout Ohio, was in need of updating its data security program to remain HIPAA-compliant. In short, they’re like most everyone else in long-term care.
The provider turned to CynergisTek for help just in time. Joyce Miller-Evans, CIO of Ohio Presbyterian Retirement Services, explained how two break-ins a few years ago resulted in computer theft and compromised patient data, leading to valuable lessons learned.
The first break-in, she said, involved the theft of human resources computer equipment—meaning no electronic protected health information (ePHI) was stolen. While Miller-Evans said her company was lucky to have dodged a breach of patient data, McMillan and CynergisTek reinforced the need for data encryption wherever possible.
And for good reason: The second break-in involved the theft of laptops and, most important, backup tapes that were not encrypted. While many people believe it is almost impossible to retrieve data off such tapes, McMillan informed everyone that this really isn’t that difficult—it’s even something his company regularly does. “The right people with the right tools can get data off the tape. The capability is out there,” he warned.
With that cleared up, McMillan went into his most poignant argument of the day, something long-term care providers should take into consideration. When a data breach like the one described above occurs, it is crucial that the provider report the breach to all parties affected, including the public. Your company could be 100% HIPAA-compliant in its data security, but failing to ethically report a breach will make you “dead wrong in the court of public opinion,” McMillan said.
He brought up the recent case of SouthShoreHospital in Massachusetts, which lost files on 800,000 individuals. When the hospital’s internal investigation concluded that those files were most likely sent to a landfill and unrecoverable by thieves, it announced it would not send notices to the individuals whose data was lost. Were they compliant in how they protected their data in the first place? Sure, said McMillan. But they also have Massachusetts Attorney General Martha Coakley investigating because she “objected” to the hospital’s decision of not reporting the breach to affected parties.
South ShoreHospital now stands the risk of being crucified in the public eye when, as McMillan said, they could have easily reported the breach. “No organization has been shut down for reporting a breach,” he said. In fact, after reporting one, the situation will blow over in less than a week’s time. A public relations disaster, it is not—unless you take SouthShoreHospital’s route. “Do the right thing. Report it. Then go back and see what caused the breach to happen,” McMillan advised.
It’s precisely what Ohio Presbyterian Retirement Services did. The provider informed all 75 residents affected that a data breach had occurred and even offered them credit protection through Equifax, of which only two residents took them up on, Miller-Evans said.
Judging by the look on McMillan’s face, those residents could learn a thing or two about risk.