Healthcare ‘Wall of Shame’ Shows Devices Are Unprotected
By Marianne Kolbasuk McGee for GovInfo Security
Incidents involving the loss or theft of unencrypted computing devices continue to dominate the federal tally of major health data breaches, despite the bad publicity these cases have been getting since regulators began tracking incidents in late 2009.
Nine of the 13 major breaches added to the Department of Health and Human Services’ “wall of shame” since Feb. 21 have involved the loss or theft of unencrypted devices, including seven involving laptops.
The HHS tally now includes 556 breaches affecting 21.7 million individuals. Of those, more than half involve lost or stolen unencrypted computing gear. The list, which only includes breaches that affect 500 or more individuals, tracks incidents that have occurred since September 2009, when the interim breach notification rule came into effect under the HITECH Act.
“It’s unconscionable that healthcare organization aren’t encrypting their backup tapes, mobile devices, servers – anything that contains protected health information,” says Feisal Nanji, executive director of information security firm Techumen.
“CEOs, CIOs and boards of directors are all to blame. If a breach occurs involving unencrypted devices, every one of them should be scolded; it’s negligence,” he says. “It’s no longer difficult to encrypt these devices.”
The 13 new breaches added to the tally in recent weeks also included one hacking incident, plus one unauthorized access case and two involving paper records. Together, the breaches affected a total of 135,000 individuals, But just one incident, involving Crescent Healthcare, a Walgreens company that manages and delivers integrated pharmacy and nursing solutions, accounted for 109,000 of those affected. And that case primarily stemmed from the theft of a desktop computer.
Threat of Penalties
In recent years, several breach incidents involving unencrypted devices have led to hefty monetary settlements with HHS’ Office for Civil Rights. That’s because OCR investigations also uncovered a host of HIPAA non-compliance issues, ranging from the lack of a timely risk assessment to insufficient staff training.
The HIPAA Security Rule does not explicitly require the use of encryption. However, it states that those who do not apply it must carefully document what other approach they are using to protect data and why it’s reasonable and appropriate.
And in an attempt to boost the use of encryption, the software certification rule for Stage 2 of the HITECH Act’s electronic health record program, which begins in 2014, requires qualifying EHR systems to encrypt data by default if it’s stored on end-user devices.
In addition, the HIPAA Omnibus Rule going into effect on March 26 includes changes to breach notification requirements that focus on assessing incidents based on the probability that data was compromised, rather than the likelihood of individuals suffering financial, reputational or other “harm”. Failure to encrypt devices that are lost or stolen will continue to be a major reason to report a breach under the modified rule, Nanji points out.
“If you have PHI on computers, especially those that lack physical security, you need to encrypt them,” he stresses. Encryption should go beyond mobile devices to include servers that aren’t located in a secure data center. “Those are easy targets for cleaning crews or other people,” he says.
Nanji suggests that healthcare organizations require encryption of all personally owned, as well as corporate-owned, mobile devices used to access patient information. And he urges the use of data loss prevention software “to sniff out” unencrypted devices that connect to internal networks.
DLP and application inventory software can also help organizations find “shadow IT” that’s used without formal authorization of the IT department, he says. Because hospitals have working relationships with physicians and others not employed by the organization, it can be difficult to keep track of every device possibly containing patient data, he notes.
Ups and Downs
Despite unencrypted devices continuing to dominate the breach spotlight, there have been some signs of progress. Overall, the number of people affected by breaches in 2012 was down substantially from 2011, according to the current federal tally, which is continually updated as new reports are verified.
As of March 22, the federal tally shows roughly 130 incidents affected about 2.3 million individuals in 2012, compared to 2011, when more than 150 breaches affected almost 11 million. So far, the tally lists six breaches in 2013 affecting a total of about 17,000.
However, after HIPAA Omnibus goes into effect, some experts expect the number of reported breaches to increase.
“I think we’re going to see more breaches reported,” says Marcy Wilder, co-chair of the global privacy and information management group at Hogan Lovells, an international law firm. That’s because organizations will need to take a more objective approach to assessing breaches, looking at the probability information was compromised, she says.