Redspin Report: 2013 a Bad Year for Health Data Breaches
In its fourth annual report on U.S. breaches of protected health information, security firm Redspin Inc. notes that in the past four years as providers swiftly adopted electronic health records, nearly 30 million Americans have had their protected health information compromised.
The prime culprit is theft or loss of unencrypted portable computing devices, and employee negligence alone will continue to drive breach statistics higher, the company contends. This should be a clarion call to the health care industry. The trajectory is predictable yet preventable. With PHI data on more portable devices used by more under-educated employees, it is a virtual certainty that there will be more breaches. Mitigating that risk must become a higher priority throughout the entire industry.
In 2012, there were 192 major breaches of protected health information, affecting nearly 3 million patient records. A year later, 2013 saw just about the same number of breaches199but they affected almost 7.1 million records. The five largest breaches in 2013 accounted for more than 85% of affected patients. The breaches were: Advocate Health and Hospitals, (4.03 million patients, theft of desktop computers), Horizon BCBS of New Jersey (839,711 patients, theft of laptop), AHMC Healthcare Inc. (729,000 patients, theft of laptop), Texas Health Harris Methodist Hospital Fort Worth (277,014 patients, improper disposal of microfiche) and Indiana Family & Social Services Administration (187,533 patients, paper documents mailed to the wrong people).
Redspin takes federal regulators to task for not mandating encryption of electronic protected health information. Under HIPAA rules, encryption is addressable, meaning it must be considered and if not adopted another appropriate control must be put in place. Thats simply not happening, according to Redspin and its time the feds moved further.
While health care providers should be convinced by now of the high risk of stored PHI on unencrypted portable devices, the regulators have not done enough to force the issue. In our opinion, an addressable requirement is still widely and correctly interpreted as something less than mandatory. Many stop there--and never move on to the real requirement for a compensating control. The federal government could fix that with one simple change to the HIPAA Security Rule.
Theft, by far, was the largest cause of breaches in 2013, comprising 45 percent of the breaches and 83 percent of breached records. Various sources, Redspin notes, estimate that 10 percent of laptops will be stolen in their usable lifetime, as it is a crime of opportunity more than planned.
Hacking only accounted for six percent of breaches, but increasingly is being done by insiders. Malicious hackers are not the only group to realize the value of a stolen health record when used for illegal purpose--it may be your own employees, the company warns. Consequently, a once-yearly risk assessment is insufficient and needs to be replaced with an ongoing integrated program of policies, controls, technical safeguards, accountability, enforcement, training and leadership.
The Redspin Breach Report 2013 is available here.