Survey indicates fewer small breaches but bigger overall impact

A new report suggests some improvement in healthcare data breaches in 2012 compared with previous years but that's no reason to lighten up on privacy and security efforts.

The report, conducted by IT security assessment provider Redspin, examined 538 incidents affecting more than 21.4 million individuals since the interim breach notification rule under the HITECH Act went into effect in August 2009. Although findings showed a significant decline (77 percent) in the number of patient records compromised in breaches, there has been a 21.5 percent increase in the number of large data breaches. According to the report, more than 2.4 million patients were impacted by 146 breaches investigated by the Department of Health and Human Services in 2012.

"While the breach data shows improvement year-over-year, we caution against complacency," said Daniel W. Berger, president and CEO of Redspin, in a statement. "Clearly, the increase in the number of health providers who conducted HIPAA Security Risk Assessments in 2012 had a positive impact. But continuous and durable security requires continuing investment and effort--it is an ongoing process of vigilance." 

Findings also suggested that the majority of breaches (57 percent) involve business associates (BAs). Moreover, the report authors said BAs have impacted more than five times the number of patients than covered entities have when it comes to data breaches.

"The recently-published HIPAA Omnibus Rule now requires business associates to comply with HIPAA privacy and security regulations directly and extends civil liability to BAs for PHI breach," said Berger. "This is a major regulatory change. But health providers should not just assume all BAs will comply--they need to be proactive, working closely with their business partners to build a secure 'chain of PHI custody.'"

The lack of encryption on laptops and other portable electronic devices is the cause of more than one-third of PHI breaches (38 percent), according to the report. Redspin officials warned that personal health records are high-value targets for cybercriminals, as they can be exploited for identity theft, insurance fraud and falsified prescriptions. To date, there has been a relatively low incident rate of hacking among all protected health information breaches. Berger said the recent attack on the Utah Department of Health--where 780,000 Medicaid and Children's Health Plan records were targeted--"may be the canary in the coal mine."

Around the web

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."