By Patrick Ouellette for HealthIT Security
Based on the Redspin Breach Report 2012 that was released today, health data breaches were reduced marginally in 2012, but when the new HIPAA omnibus rule is factored into the equation, the company advised healthcare providers to stay on the offensive when it comes to breach prevention.
Redspin, an IT security auditing vendor, brings up the point that since August 2009, organizations have reported 538 large protected health information (PHI) breaches of more than 21.4 million patient records to the Secretary of Health and Human Services (HHS). There are also these numbers to consider:
21.5 percent – Increase in number of large breaches in 2012 over 2011 but a 77 percent decrease in number of patient records affected
67 percent – Of all breaches have been the result of theft or loss
57 percent – Of all patient records breached involved a business associate
Five times – Historically, breaches at business associates have impacted five times as many patient records as those at a covered entity
38 percent – Of incidents were as a result of an unencrypted laptop or other portable electronic device
63.9 percent – Percent of total records breached in 2012 resulted from the five largest incidents
780,000 – Number of records breached in the single largest incident of 2012
6 percent – From 2009 to date, hacking has contributed to roughly six percent of data breaches, both in number of incidents and number of individuals affected.
Early on in the report, Redspin referenced the plight of the Utah Department of Health, which has suffered two good-size breaches over the past year. Now, a bill to crack down on breaches has reached the Utah House floor, which indicates the state recognizes this issue isn’t going away. Here were the five largest breaches of 2012:
The report also cites the role of the new HIPAA omnibus rules in breach prevention, regulations and reporting to HHS. Specifically, the role of business associates has changed markedly under HIPAA regulations and it’s up to healthcare organizations to ensure they’ve reviewed the major legal and contractual updates to the rules.
Redspin also discussed the difficulty in handling PHI on portable devices, referencing the 37.7 percent of total breaches in 2012 occurring on a laptop or other portable device. These are the device breakdown numbers:
And it offered healthcare organizations some tips to avoid data breaches, some being more obvious than others. Portfolio risk analysis was one item that stuck out because doing the homework on subcontractors and business associates is now more important than ever.
- Conduct a HIPAA Security Risk Analysis
- Implement a regular process for an ongoing vulnerability scanning and remediation, and integrate those reports into your IT security risk assessments.
- Insist on encryption of data on all portable devices. Lost or theft of unencrypted portable devices has made up over a third of all large breaches to date.
- Business associates have accounted for 57 percent of all patient records breached since we started the tally. We recommend hospitals conduct a specific “portfolio risk” analysis as it relates to the dozens or even hundreds of vendors, contractors and consultants they work with.
- Conduct regular, frequent and engaging security awareness training for all employees. This requirement has been included in every breach resolution agreement negotiated between OCR and an offending covered entity.
Redspin obviously isn’t the essential authority on healthcare data breaches because it has a vested interest in security audits. But the number breakdowns above are worth reviewing because they explain where breaches are trending since 2009.