2 Years of Breaches: An AssessmentLessons: Protect Devices, Encrypt Data, Monitor Business Associates
The official tally of major breaches, compiled by the Department of Health and Human Services' Office for Civil Rights, shows that more than half involve the theft or loss of laptops and other electronic devices and media. Plus, more than 20 percent have involved a business associate.
Major breaches that OCR tracks on its online "wall of shame" are those affecting 500 or more individuals. In its recently submitted report to Congress outlining breach activity for 2009 and 2010, OCR identified more than 30,500 smaller incidents affecting a total of 62,000. "The majority of small breach reports in 2009 and 2010 involved misdirected communications and affected just one individual each," according to the report.
So far this year, about 70 major incidents affecting about 3.5 million individuals have been added to the federal tally. Some 24 breaches affecting about 158,000 have been added to the list since Aug. 22.
Lessons Learned"The largest lesson from the reported large breaches is to focus on your employees and how they physically safeguard hardware," says Adam Greene, a former official at the HHS Office for Civil Rights. That's because the most common cause of health information breaches so far has been theft, and the type of device that is most often stolen is a laptop, he notes.
Security specialist Tom Walsh, president of Tom Walsh Consulting, points out that most of the reported breaches "could have been prevented with encryption of media and mobile devices."
Another important lesson, Greene stresses, "is that one of your biggest vulnerabilities is your business associates." Greene, a partner at the Washington law firm Davis Wright Tremaine LLP, notes: "Nine of the top 20 breaches, based on the number of individuals affected, have included business associates." As a result, healthcare organizations need to make sure that their vendor partners take adequate security precautions, he stresses.
"Unfortunately, when a business associate causes a breach, the name of the covered entity is listed first, even when it is not their fault," Walsh adds.
Another lesson learned, Greene points out, is to not underestimate the vulnerability of paper records because many breaches have involved documents. "These breaches of paper records are mostly due to unauthorized access or disclosure (e.g., sending paper files to the wrong recipient), theft (e.g., the papers are in a stolen briefcase or car), and improper disposal," he notes.
Walsh says healthcare organizations need to go beyond implementing updated security policies. "The workforce needs to have periodic refresher training on privacy and information security," he stresses.
Business Associate IncidentsSeven of the breach incidents added in recent weeks all stem from the theft of an external hard drive from the car of an employee of MedAssets, a business associate to the hospitals affected (see: Stolen Hard Drive Affects 82,000).
Another recent incident involving a business associate affected patients at Stanford Hospital & Clinics. In that breach, a business associate's subcontractor caused a healthcare information breach when information about 20,000 patients treated in the hospital's emergency department was posted on a website.
The largest incident reported so far involved insurer Health Net and affected 1.9 million individuals, according to the OCR tally. It stemmed from hard drives missing from a data center managed by IBM, its business associate.
Breach NotificationOCR began posting incidents to its breach list on Feb. 22, 2010, for cases dating back to Sept. 23, 2009, when the interim final version of the HITECH Act breach notification rule took effect.
The rule requires healthcare organizations to notify those affected by breaches of any size. Major incidents must be reported to the Office for Civil Rights within 60 days. Smaller breaches must be reported to the office annually. But breaches of information that's been encrypted using a specific standard do not have to be reported.
A final version of the HITECH Act-mandated breach notification rule, which is part of HIPAA, could further clarify exactly what types of incidents need to be reported. The final version is expected later this year as part of an "omnibus" package of several rules (see: HITECH Mandated Regs Still in Works). The interim final version now in effect contains a controversial "harm standard," which allows organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm and, thus, must be reported.