Health Breach Tally Tops 1,000 IncidentsExperts Offer Insights on Lessons Learned
The federal tally of major health data breaches has hit a new milestone; it now lists more than 1,000 incidents affecting 500 or more individuals.
The 10 largest breaches affected about 18.4 million individuals, more than half of the 31.5 million that have been affected by all 1,010 major breaches reported since federal regulators began keeping track in September 2009 as a result of the HITECH Act.
All of the top 10 largest breaches listed on the Department of Health and Human Services' Office for Civil Rights' "wall of shame" website involved lost or stolen unencrypted computing devices or storage media. Overall, theft and loss of unencrypted devices have accounted for approximately half of all major data breaches appearing on the federal tally.
Top 10 Health Data Breaches
"The top 10 breaches demonstrate the importance of encryption for protecting data in motion or at rest," says security expert Brian Evans of Tom Walsh Consulting. "Since encryption is now provided either out of the box or through add-on products, this no-cost or low-cost solution can significantly reduce the likelihood of breaches from occurring. Ensuring encryption is adequately implemented is a fundamental step all organizations should be taking."
But the lack of encryption isn't the only health data security deficiency that worries experts. In fact, they say the lack of encryption often is a sign of deeper security deficiencies.
"First of all, failure to encrypt is not a security mistake; it is a bad management decision," says security expert Mac McMillan, CEO of consulting firm CynergisTek. In the top 10 breaches, as well as many other breaches on the federal tally, "encryption did not fail - it was never applied," he says. "Other mistakes include not knowing where their data is, where the risk is, and applying adequate controls to mitigate the risk."
Other problem areas, McMillan says, include a failure to examine the security practices of business partners, a lack of monitoring users' access to sensitive health data and inadequate controls for authenticating both users and systems. "Last but not least is poorly constructed training programs that focus on compliance-driven requirements instead of what users really need to know to be good stewards of corporate information asset," he adds.
Evans summarizes the situation this way: "Healthcare organizations are not practicing security fundamentals. They have fragmented security efforts without formally integrated oversight, governance or alignment with other risk functions within the organization."
Many organizations lack an effective, ongoing risk assessment process and fail to consistently identify internal and external threats and vulnerabilities or systematically implementing basic controls, Evans says. "They have unassigned ownership and accountability over security and compliance requirements. As a result, they lack compliance with applicable security regulations, standards and requirements."
The recent 2014 Healthcare Information Security Today Survey shows that less than half of healthcare organizations have a documented security strategy in place.
Evans also contends that too many organizations still "deploy 'flat' networks and ad hoc architectures and technologies that are not adequately resourced, supported or managed. They aren't implementing adequate policies and procedures or consistently practicing or enforcing what they do have in place. Practicing these security fundamentals can offer substantial leverage for effectively managing information risk."
Key lessons can be learned from the tally of the biggest breaches.
"Every one of these breaches were completely avoidable if basic security practices had been followed, meaning these were not high-end sophisticated attacks, but rather lapses of judgment and sound application of security," McMillan says. "Second, simple deviations from good sound practices can have huge consequences for the business - many of these, not all, could have been mitigated by encryption.
"Lastly, while business associates may only represent a little more than 20 percent of the total number of breaches reported, they have the distinction of representing 50 percent of the largest breaches, and a very large percentage of the overall number of records potentially compromised as well. Yet they still get only second billing on the marquee of blame."
Under the HIPAA Omnibus Rule that went into effect last year, business associates are directly liable for HIPAA compliance, and, like covered entities, are subject to OCR enforcement actions that can include penalties ranging up to $1.5 million per HIPAA violation.
As a result, some experts expect the number of reported breaches involving business associates to eventually climb. That's in large part because many business associates are even less diligent than covered entities when it comes to protecting health data - and some of those vendors are still unaware of their HIPAA obligations.
"We still have many BAs out there that still do not believe they are BAs or who try to limit their response because they believe only a part of the rule applies to them," McMillan says. "BAs are not performing appropriate risk analysis like their counterpart covered entities. In short they haven't gotten serious about it yet."
In some cases, business associates are still in denial or are completely clueless about their HIPAA liability, Evans contends.
"I just came from a conference where a BA employee asked my advice in dealing with her legal team who was adamant that their company did not have to comply with the HIPAA Security rule and believed any breach of PHI was the covered entity's problem," he says. "I suggested that her legal team re-read the Omnibus Rule."
All healthcare organizations need to define security policies and standards, establish minimum security requirements and confirm they are being executed as intended, Evans says.
"They need to have well-defined ownership and accountability. They should hold accountable the practices of all risk management teams, challenge any poor practices and approaches, and demand improvements when gaps are identified. ... As in other important healthcare, business and IT functions, strong leadership is critical to effectively managing information risk. "
McMillan says the federal tally of major breaches "should be a reminder that we still have a ways to go before we as an industry can say that we are truly protecting the public's right to privacy. More importantly, it says we still have systems and data at risk in an industry that has become critically reliant on those assets in just about every operational and clinical facet of the business."
Evans offers a similar perspective: "The HHS wall of shame clearly illustrates that a number of healthcare organizations still need to step up their security game nine years after the HIPAA Security Rule compliance deadline of April 2005."