Study: PHI breaches affect 6 million Americans since HITECH
 |
Redspin’s “Breach Report 2010” reviewed the information provided for each publicly disclosed breach to identify threat trends and recommend which controls will have the greatest impact on reducing the number of incidents in the future. The report’s findings include:
- 43 states, plus Washington, D.C. and Puerto Rico, have suffered at least one breach.
- On average, 82 days pass between breach discovery and notification/update to Health and Human Services (HHS).
- 78 percent of all records breached are the result of 10 incidents, five of which are the result of theft including common storage media, e.g., desktop computer, network server and portable devices.
- 61 percent of breaches are a result of malicious intent.
- Approximately 66,000 individuals, on average, are affected by a single breach of portable media.
- 40 percent of records breached involve business associates.
To reduce the likelihood and impact of a future breach, covered entities and business associates should focus their information security programs on the following controls:
1. Implementing encryption on all PHI in storage and transit.
2. Strengthening information security user awareness and training programs.
3. Implementing a mobile device security policy.
4. Ensuring that business associate due diligence includes a periodic review of implemented controls.
Information security programs shoud also implement an incident detection and response program, a system security plan--including logging and monitoring systems where PHI is stored, transferred and destroyed; a portable media policy; and business associate oversight. In addition, contracts should require business associates to prove on an annual basis that they have adequate safeguards in place surrounding PHI, the report concluded.