A National Patient Identifier’s Impact on Healthcare Security

September 22, 2020

• An NPI is being promoted as a tool for improving patient privacy, as well as providing a variety of other benefits.
• However, there’s little to no discussion of NPI’s impact on healthcare cybersecurity.
• Contrary to popular belief, implementing NPI will be difficult and its downstream impact to information security will be significant.

Low-Hanging Fruit? More like an orchard of opportunity.

I’ve been passionate about healthcare information security for several decades. I recently endured an unexpected, long-term hospital stay, which got me even more interested in patient privacy than I already was. Having my wristband repeatedly scanned and being asked “What’s your birthday?” countless times a day gets real old real fast. So you can imagine my interest at the recent flurry of articles regarding a National Patient Identifier (NPI).

As I read article after article, I noticed a disturbing trend. Everyone is fixated on whether or not having an NPI will improve patient privacy, help reduce medication errors, decrease mismatched patients, etc. There’s a healthy and robust debate on both sides of the issue. What I’m not seeing is a debate – or even a stray mention – regarding an NPI’s impact on healthcare cybersecurity or what new security controls and policies, if any, will need to accompany whatever NPI solution is ultimately adopted.

Equally concerning, some of the articles refer to implementing an NPI as “low hanging-fruit.” Nothing could be further from the truth. The downstream impact to healthcare IT and InfoSec would be extraordinary. So let’s give that impact the attention it deserves.

But before we dive in, I’d like to step back and get everyone up to speed on the history of the NPI Rule.

The History of NPI

HIPAA has five core rules. Most healthcare IT professionals are familiar with the Security and Privacy Rules. In 1996, when HIPAA legislation was passed, it included a rule for the development of an NPI that would give each person in the U.S. a permanent, unique number for use across the entire national healthcare system. The Department of Health and Human Services (HHS) was initially tasked with adopting standards for a distinct, unique patient ID, which would be used to identify the medical records of individuals, employers, providers and health plans under HIPAA regulations.

Enter privacy concerns. Congress prevented the HHS from implementing NPIs by refusing to provide funding, a battle that has raged for 24 years and counting. When one house of Congress approves lifting the ban, the other rejects it.

Fast forward to Fiscal Year 2021. The House of Representatives once again voted to remove the ban on Federal funding for an NPI. At the time this article was written, it remains to be seen whether the Senate will vote up or down.

One last thing. It’s the Health Insurance Portability and Accountability Act. The “I” doesn’t stand for information or InfoSec or interoperability. We seem to forget that, and it’s where HIPAA has lost touch with real-world, present-day healthcare cybersecurity. More on that later.

Setting aside politics and even patient safety for a moment, consider the serious impact of deploying an NPI on already-stressed healthcare IT shops.

Today’s Environment

Healthcare today routinely employs technology and solutions either not in existence or not well understood when HIPAA was passed. Ladies and Gentlemen, I direct your attention to electronic medical record systems (EHRs), telehealth and telemedicine solutions, wireless integrated medical devices, mobile healthcare applications, automated pharmacy kiosks, interoperability, health information exchanges and the list goes on.

The time and effort required to retrofit the hundreds and hundreds of clinical, financial and billing applications and systems, plus their corresponding reports and interfaces, to handle an NPI field could easily take years. The work of cleaning up local Master Patient Indexes (MPIs) in preparation for assigning NPIs would require resources few healthcare providers can spare, not to mention the task of actually assigning an NPI to each patient without making an error.

And what about all those social security numbers (SSN) and other patient identifiers currently used, such as date of birth? Will they be removed, encrypted or otherwise masked? If not, assigning each of us an NPI just serves as yet another way to gain access to our healthcare information, except this time it covers all our medical history, not just that from our local doctor or hospital.

What security protections will be built into the NPI itself?

Back in 1997, one year after HIPAA was passed, a 60-page report was prepared on behalf of HHS (yes, I actually read it). That report listed some 13 different options for what a unique patient identifier (UPI) might look like. Options ranged from an enhanced SSN, a Medical Record Number with a Provider prefix, bank card-type technology, various types of cryptography, biometrics and so on. Those measures would also need to be implemented, managed and enforced locally as well as nationally. It’s also likely the number would be much longer and more complex than an SSN, potentially leading to manual entry errors.

There will have to be increased security controls, privacy controls and infrastructure to manage the security of and access to the NPI, no matter which NPI design is approved. Encryption, blockchain, migrating data centers to the cloud (since cloud services have better tools, technology and staffing than most healthcare IT data centers), separating financial data from clinical data, separating NPI access from clinical data – these are just a few of the considerations that could dramatically affect healthcare IT and cybersecurity, albeit in a good way.

Historically, healthcare has lagged behind sectors such as finance when it comes to information security and privacy maturity. We still hear about the Office for Civil Rights (OCR), the enforcement arm of HHS, fining healthcare providers for egregious HIPAA violations, with at least one recent organization being fined for essentially never implementing anything resembling a HIPAA privacy and security program.

With the spotlight on huge initiatives such as interoperability, an NPI could help drive the success of such an undertaking. How great would it be to go into an out-of-town ER or an urgent care if you get sick while on vacation or business travel, and the provider has your medical history at their fingertips? When my aforementioned illness struck, I was in this exact position: out of state and traveling solo. Where was the NPI when I needed it?

This is why it’s so important to clean house and implement stronger universal security and privacy controls, for both covered entities and business associates, before sharing all of our protected information nationwide via an NPI. It’s a massive undertaking, but well worth the time effort and money.

In the meantime, hackers target healthcare with greater frequency and the majority of healthcare providers just can’t keep pace with the changing threat landscape. HIPAA does need to be updated, but will the additional regulation make healthcare more secure? Unlikely.

Writing policies and standards is nice and important, but paper doesn’t make us more secure without implementation, management and enforcement. If we get that accomplished, the impact on healthcare cybersecurity will be tremendous.

A New Security Model for Healthcare

Assuming someday the NPI will get funded and implemented, what should we be doing today to prepare for that inevitability? Simply put, healthcare cybersecurity needs more maturity. We should not look to HIPAA to provide technical guidance. Expecting regulations to fix data security problems is unrealistic.

We need to look beyond the four walls of the hospital or clinic and really start putting more emphasis and responsibility on vendors and business associates. HIPAA currently requires a signed Business Associate Agreement (BAA) between a covered entity and its business associates. However, with a massive number of vendor-related breaches in recent years, smaller healthcare providers (and even some larger ones) don’t have the resources to properly manage the security of their vendors via a formal Third Party Risk Management (TPRM) program.

Unfortunately, there’s no way for providers to continue to do business and not work with business associates, and providers themselves don’t have the expertise or the resources to audit all of their business associates on their own.

Perhaps we need to move to a model where providers and their business associates are required to obtain certifications like SOC2, ISO or HITRUST (if they don’t already have them) and keep them current. Some have suggested that requiring proof of compliance with the NIST cybersecurity framework (NIST CSF) might be the way to go.

Whatever the standard or framework, it’s time healthcare got more mature and moved away from just relying on HIPAA and self-assessment for privacy and security guidance.

Maybe 24 years of no NPI has been a blessing in disguise since anything implemented that long ago would certainly have become obsolete by now. We’d be talking about how to clean up that mess.

The good news is lots of vendors are interested in proposing an NPI solution. Our tools and technology have greatly evolved over the past two decades and there’s a lot of support behind moving forward with an NPI and interoperability, especially in light of our current public health situation.

The work required to successfully roll out an NPI and the long-term overall impact on healthcare privacy and security is an order of magnitude greater than anything healthcare has seen since HIPAA itself was enacted.

Low-hanging fruit? No. More like an orchard of opportunity.