Report: 19 million records affected by breaches since late 2009
These numbers comes from "2011 Breach Report / Protected Health Information," released by Carpinteria, Calif.-based data security consulting firm Redspin. The report analyzes the full data set of breaches as reported to the Secretary of the U.S. Department of Health and Human Services (HHS) since the regulation went into effect, and outlines "increasing threats and troubling trends." For example, 49,396 is the average number of patient records per breach in 2011, an 80 percent increase over 2010. There was a 97 percent increase in total records breached in 2011 compared to 2010.
Threats and trends covered include:
More data: "Every day more and more protected health information is reborn in the digital healthcare universe," the report stated. "ePHI is easier to locate, access, store, transmit and move." This presents benefits as well as new risks. And, without sufficient controls, one would expect data breaches to become increasingly common over time. Because new records are continually added to existing databases, it is logical to assume that average number of individuals impacted by each new breach would also increase over time, according to the report.
Business associates (BAs): Fifty-nine percent of all breaches in 2011 involved a BA, which is a 76 percent increase over 2010, according to the report. "This has not gone unnoticed by the HHS Office of Civil Rights (OCR)," the report noted. "Written into the interim final breach rule is the provision for civil liability to extend directly to BAs by the end of 2012. It does appear inevitable that covered entities will need to take a more proactive role in how BAs protect their PHI."
Redspin recommended that hospitals conduct risk analyses of their vendors, contractors and consultants. "The full legal responsibility of protecting the data remains with the hospital," the report pointed out. "By taking a risk-adjusted approach, the hospital can focus on the subset of BAs that present the greatest potential damage from breach. Ultimately, the hospital has every right to insist that their partners conduct regular, third-party security assessments as a requirement of doing business together."
Security risk analysis: "It is strikingly clear that woefully inadequate security risk analysis (if any) took place prior to the occurrence of these incidents," the report read. "A proper risk-based assessment would have identified and brought attention to these large concentrations of PHI and raised the issue of whether sufficient security controls were in place, either at the covered entity, the BA or both."
By virtue of participation in the meaningful use program, covered entities and eligible providers are required to conduct a HIPAA security risk analysis and have a plan to address any vulnerabilities found, Redspin advised. "Security assessments are not projects, but rather a part of an ongoing process of durable improvements and should be conducted on annual or at least bi-annual basis. Healthcare and IT are both dynamic environments. While a comprehensive security assessment has some shelf life, you'll be far more secure if you also assume they have an expiration date."
Portability: More than one-third (39 percent) of all PHI breaches to date have occurred on a laptop or other portable media, according to the report. "While stricter policies and more encryption are necessary, both require user training acceptance and enforcement. The problem is likely to get worse before it gets better. Portability is here to stay. Smartphones, iPads and other tablets are now in use in 80 percent of healthcare organizations, according to the report.
The report said that several industry estimates have put the value of a stolen health record on the black market at about $50, which probably accounts for the 60 percent of all PHI breach incidents that have been the result of malicious intent (including hacker attacks, "insider" IT incidents and theft).
"Information security is the Achilles heel of electronic PHI," the report read. "Without further protective measures, it could derail widespread implementation and adoption of EHRs."
Security tools "won't come from government regulation alone," the report concluded. "Incentives and enforcement can play a part, but ... the healthcare industry itself and individual organizations within it must become more proactive in regard to their IT security. In effect, they need to serve as their own watchdog."
Access the entire report on Redspin's website.