Breach Stats Reflect Security WoesComprehensive Risk Analysis Often Lacking
Recent large-scale healthcare breaches illustrate that organizations frequently lack a comprehensive risk analysis, says Dan Berger, CEO of Redspin.
Federal breach statistics show that about twice as many individuals were affected by major healthcare breaches in 2011 than in the previous year, Berger notes in a recent report on breach trends. And that's due, in large part, to a handful of huge breach incidents last year.
The largest breach incidents "are indicative of a trend," Berger says in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below). "As more and more PHI [protected health information] is stored electronically, you end up with greater concentrations of data," he says. And when large databases are stored on portable devices or media, that can lead to breaches if the data are not properly encrypted, he stresses.
The biggest breaches in 2011 "make it painfully clear that inadequate, if any, HIPAA security risk analysis took place prior to the breaches," Berger contends. "A comprehensive security risk assessment would have identified where PHI is stored, who has access to it and how it's utilized in the normal workflow. The analysis would then investigate whether sufficient controls are in place."
In the interview, Berger also:
Berger is president and CEO at Redspin, an IT security assessment company. Before joining the firm, Berger spent 25 years in the global IT industry in sales, marketing and senior executive positions for computer manufacturers, networking companies, application software firms and several providers of online business services.
2011 Breach Statistics
HOWARD ANDERSON: Earlier this year, Redspin issued a report on major healthcare information breaches that compares statistics from 2010 and 2011. For example, the report notes that about twice as many individuals were affected by major healthcare breaches in 2011 than in 2010. Is the increase mainly because of a handful of large breach incidents last year?
DAN BERGER: ...While it's true that the increase is mainly due to a handful of large breach incidents that occurred last year, those large breach incidents themselves are indicative of a trend. That trend is, as more and more PHI is stored electronically, you end up with greater concentrations of data. When you add that data to the mass storage capacity on portable media and mobile devices, our conclusion is that large-scale breach incidents are virtually certain to continue.
ANDERSON: The average number of patients affected by a breach grew by about 80 percent in 2011 versus the previous year. Again, what's the main reason for that?
BERGER: Because IT security has not really kept pace with the progress that has been made in the adoption of the electronic health records - that would be the main reason. More PHI has been converted to electronic format and, as structured data, it's easier to store, access, transmit, copy, move - so the likelihood [is greater] that a breach might compromise an entire database or at least a portion thereof, rather than a small collection of individual records.
Preventing Large-Scale Incidents
ANDERSON: The top five breach incidents reported so far under the HIPAA breach notification rule account for about 57 percent of all patient records breached. The top 20 account for about 88 percent of all records breached. What's the key to preventing these large-scale incidents? What do they have in common?
BERGER: Large-scale incidents make it painfully clear that inadequate, if any, HIPAA security risk analysis took place prior to the breach. Comprehensive security risk assessments would have identified where PHI is stored, who has access to it and how it's utilized under a normal work flow. Then the assessments would look further into whether the sufficient controls were in place. As a reminder, the HIPAA security rule has been enforced for almost 10 years. Section 164.38A requires covered entities to conduct a security risk analysis among other things.
ANDERSON: More breaches in 2011 involved business associates than in the previous year, including some of the biggest incidents. What do you think is the reason for this trend, and is there anything we can do to reverse that trend?
BERGER: Business associates were involved in incidents that affected over 7 million individuals in 2011 and that compares to 4 million in 2010. The simple fact underlying that trend is just this: More data is being shared with BAs, and little to nothing has been done to inspire or enforce stricter controls or to require more covered entity oversight. I think that the extension of direct civil liability to BAs at the end of 2012 will help, but I still believe it remains to be seen if that's enough of a stick to make it a priority for their businesses. I've been disappointed that the initial HHS Office for Civil Rights HIPAA audit program doesn't include any business associates in the first audits that are scheduled for this year.
So in terms of reversing the trend, ultimately what will ... be required is that hospitals themselves will have to get tougher with their BAs, even insisting that some of the large partners have an annual security audit as a contractual requirement. ... Forward-looking business associates should think about adopting this process now, because I think it would be a clear marketing advantage for them to go out when they're selling their services to additional hospitals to say, "We've put ourselves under the same kind of scrutiny that you have as well." I think you're going to see more sensitivity at the covered entity level... [about] what their business associates are doing and not doing.
Lack of Encryption
ANDERSON: Thirty-nine percent of major breaches reported so far have involved laptops or other portable devices, you note in your report. In fact, about 55 percent have involved loss or theft of all types of unencrypted devices or media. With all the publicity about breaches involving unencrypted devices, why isn't encryption more widely used, do you think?
BERGER: ... I think the primary factor has been that encryption has IT administrative overhead and requires additional user training. For as long as I can remember, healthcare IT has typically been under-staffed and under-funded and so, to some extent, I understand their resistance. It's just more to do and they've got limited resources. Going forward, as encryption technology improves, it's really only a matter of time before we reach the tipping point where the risks of breach outweigh the additional overhead required.
HIPAA Security Rule
ANDERSON: In your report you call for federal regulators to beef up the HIPAA security rule. You also call for providing more compliance guidance, more guidance from federal regulators. Could you elaborate on those recommendations?
BERGER: ... I found the Office of Inspector General's audit of CMS [assessing HIPAA compliance at some hospitals] to be a pretty sound wake-up call. Perhaps somebody hit the snooze button though because I haven't seen the findings from that report reflected in very many other places. As a refresher, the lapses cited by the OIG included 124 high-impact vulnerabilities such as unencrypted laptops and portable devices containing PHI, outdated anti-virus software and patches that weren't applied, unsecured networks and also the failure to detect devices intruding on wireless networks. Perhaps some of those items have been included in OCR's HIPAA audit scope ... but I think the HIPAA security rule itself could be made more prescriptive, and I'd like to see - not only as a security vendor, but I think our clients would like to see - more [guidance about] what the government actually expects them to do in regard to HIPAA security.
ANDERSON: Any final advice on other steps healthcare organizations can take to prevent breaches so that 2012 statistics look better than the 2011 numbers?
BERGER: I think there has been a great deal of focus on security within the context of the Stage 1 EHR meaningful use incentive program. At Redspin we encourage our clients to go beyond the minimum necessary of meeting this requirement and testing meaningful use. Checkbox compliance is really not appropriate here. We recommend very comprehensive security assessments including external and internal infrastructure, web-application assessments, wireless security, mobile-device policies and, last but not least, employee training. It's critically important that security become the priority within the healthcare industry. We believe that it's the foundation on which the successful electronic health record implementation adoption must be built. It really is a trust model between providers and patients and security is the one thing that can undermine that.