The privacy of health records managed by the U.S. Veterans Administration recently became an issue of contention, in the wake of an investigative report from The Pittsburgh Tribune-Review that scrutinized the agency’s practices. Like other organizations that handle sensitive patient information, the VA is accountable to the mandates of the Health Information Portability and Accountability Act, but some of its employees’ behavior may be putting the VA at risk of major violations.
Moreover, the VA has been a pioneer in the healthcare sector’s drive toward digitizing health records, and its actions serve as an example for other organizations. While digital records hold the promise of greater ease-of-access compared to paper files, they are vulnerable to a wider range of risks from malicious attack and simple mishandling. As healthcare organizations utilize new technologies for storing patient information, they should be sure to update their training and cybersecurity policies to prepare themselves for new risk environments and responsibilities.
At the same time, security of paper and physical assets will remain essential. Many of the issues identified in The Pittsburgh Tribune-Review’s report may have been the result of oversights in facility security. Accordingly, it will be important for HIPAA compliance strategies to account for the transition effort between different types of recordkeeping systems and to take a holistic approach to guarding veterans’ records from breach.
Report identifies possible violations at many VA campuses
The newspaper’s report, conducted over a period of two months, painted a picture of systemic issues affecting VA recordkeeping practices. Given the sensitivity of the information that VA campuses handle, a leak or opportunistic attack can result in anything from embarrassing exposure on social media to costly identity theft.
According to The Pittsburgh Tribune-Review’s Carl Pine, the investigation tallied more than 14,000 violations that occurred between 2010 and May 31, 2013. The incidents were spread across 167 different VA facilities, demonstrating that violations were widespread and likely not the results of weaknesses at specific sites. More than 100,000 veterans and 500 VA employees may have had their records compromised.
“It is unconscionable that the very people who defend the rights of the American people do not have those rights at [the] VA,” U.S. Air Force veteran and VA employee Karen Santoro told The Pittsburgh Tribune-Review. “We must fight back and change the system because we deserve a better one.”
Specific privacy violations ranged from posting pictures of anatomy to social media channels to losing track of Social Security numbers and prescriptions. There were also several instances of information being sold to third parties or lifted for identity theft purposes, sometimes by VA employees themselves.
The VA’s history of data privacy incidents
Writing for HealthITSecurity, Patrick Ouellette examined a separate data breach case affecting a facility in Bakersfield, CA. In 2011, two staffers from the clinic claimed that VA physicians illegally took protected information such as Social Security numbers and patient names.
The VA conducted a two-year investigation that found that the doctors had acted within their rights and had not compromised patient privacy. However, some of the clinic’s former employees have raised doubts about the results and questioned the VA’s overall approach to curtailing and dealing with breaches.
“The VA does not want anyone to know, the general public to know, that a VA employee could do this terrible HIPAA violation and they will deny it forever because it makes them look bad,” stated former VA Bakersfield site manager JoAnne Van Horn, according to HealthITSecurity.
The VA has continued to defend its recordkeeping practices. At a June 2013 hearing on Capitol Hill, Stephen Warren, acting assistant secretary at the Department of Veterans Affairs Office of Information and Technology, reaffirmed the VA’s commitment to handling records with the utmost care that HIPAA requires.
Nevertheless, as Government Health IT contributing editor Erin McCann pointed out, the VA has a history of privacy troubles. It has reported 17 HIPAA violations over the past several years, and a string of incidents from 2006 to 2012 involved everything from the theft of an unencrypted laptop containing SSNs to the leaking of veterans’ information to Ancestry.com.
As such, The Pittsburgh Tribune-Review’s report is less a revelation than a confirmation of VA practices over the last decade. Adequately addressing identity theft and physical security appear to be the chief challenges for the VA as it tries to shore up its defenses.
VA privacy struggles may indicate deeper issues with how government agencies handles records
Despite the long train of high-profile incidents, the VA is not alone in its struggles to properly handle health records. Speaking to CruxialCIO, Netspective Communications CEO Shahid Shah argued that similar issues affected many healthcare providers, including VA partner hospitals.
The VA’s My HealtheVet technology has been at the forefront of digital record keeping, and while it may become a target for cyberattacks or a vehicle for accidental leaks, it may not be the chief cause of the VA’s struggle with patient record privacy. Rather, the persistence of physical storage media has been at the heart of many of the administration’s incidents.
“The most important safeguards right now can primarily be nontechnical because there’s too much paper and broad discretionary authority to view data in non-digital workflows; accountability and tracking is not built into VA’s processes, procedures, and training to the extent like they need to be,” stated Shah. “Everyone wants to do the right thing, but as long as there is so much paper in the process and the workflows require large amounts of data to be seen and processes by so many different people, the illegal release of medical data will remain very easy.”
Government officials and cyber security professionals could view the popularity of paper records as an opportunity to adopt digital technologies in even greater earnest. However, the unique vulnerabilities of electronic data must also taken into account. Only with a proper roadmap for the transition away from traditional recordkeeping can the VA and other organizations ensure that the weaknesses of old recordkeeping technologies do not find equivalents down the road.