Insider Blunders Still a Common Breach CulpritInfoSec Pros Need to Focus on More than Hacker Mitigation
While 2015 will be remembered as the year of major hacker attacks in the healthcare sector, most of the health data breaches added so far this year to the official federal tally have involved insider blunders, including improper disposal of paper records and lost or stolen unencrypted laptop computers.
Thirteen breaches affecting a combined total of more than 217,000 individuals have been added so far this year to the U.S. Department of Health and Human Services' "wall of shame" website of major breaches affecting 500 or more individuals.
The 1,464 total breaches listed on the tally, launched late in 2009, have affected a total of more than 154.7 million individuals.
A new report by Redspin, which analyzes last year's HHS breach tally, shows more than 113 million patient records were breached, "more than twice as many as in the five prior years combined." Nine of the top 10 incidents and 98 percent of records breached in 2015 were the result of hacking attacks and "IT incidents," such as phishing, according to the report.
The largest breach added in recent weeks to the federal tally is an improper disposal incident that occurred last November at Community Mercy Health Partners, which operates several hospitals in Ohio.
That incident, which involved paper and film records disposed intact in dumpsters at an Ohio recycling center, is now listed on the HHS website as affecting almost 114,000 individuals. The breach, which was reported to HHS on Jan. 25, was discovered on Thanksgiving 2015 by a local resident who was dropping off some items at the recycling center, only to be stunned seeing several dumpsters containing stacks of patient health records, other medical paperwork and folders related to Community Mercy Health Partners' current and former facilities.
The Community Mercy Health Partners incident is the third largest of the 58 improper disposal incidents listed on the tally since HHS began tracking major health data breaches in 2009.
The biggest improper disposal incident, reported in 2013 and affecting 277,000 patients at Texas Health Harris Methodist Hospital Fort Worth, stemmed from its business associate, Shred-It International, improperly disposing in a public dumpster decades-old microfiche records containing information of 277,000 patients. The second largest involved business associate Digital Archive Management improperly disposing about 190,000 paper and film records in 2013.
Some privacy and security experts say that while breaches like the Community Mercy Health Partners incident involving blatantly improper disposal of patient records are, unfortunately, quite common.
"Last year's huge hacker attacks so overshadowed every other type of PHI breach, it was easy to miss that nearly 70 large breaches in 2015 actually involved paper or films," says Dan Berger, CEO of security consulting firm Redspin.
Mishandling of old patient information continues to be a major issue, says privacy and security expert Rebecca Herold, CEO of consulting firm the Privacy Professor. "Improper disposal of information in all forms is a rampant problem throughout all types of healthcare entities and their business associates," Herold says. "Too many don't consider all the many types of devices that can collect and store protected health information, such as smartphones, copiers, fax machines, printers and a wide and growing number of Internet of Things devices."
In fact, HHS' Office for Civil Rights, as well as some state regulators, have taken enforcement action against organizations that have reported breaches involving improper disposal of protected health information.
For example, OCR in June 2014 announced an $800,000 HIPAA settlement with Parkview Health Systems, an Indiana community health system, after paper medical records for up to 8,000 patients were dumped in the driveway of a retiring physician's home.
Herold expects breaches involving data stored on improperly disposed personal mobile devices, including smartphones, to become even more common. "I believe these types of devices are off the radar for most organizations, especially when they are no longer used and then disposed of or sold online to recoup some of the investment," she says. "Think about all the PHI that is likely still on those devices. Disposal is a long-time risk that is never going to go away; it is only increasing in importance and risk with all the new devices that can store PHI."
To be certain, improper disposal isn't the only recurring "paper problem" reflected in the breaches reported to HHS so far in 2016. Other breaches recently added to the tally include three incidents involving unauthorized access to paper and film records and one incident involving the theft of paper records and film.
But the loss or theft of laptops and other devices, long a common cause of health data breaches, continues to be a problem as well. For example, Montana health plan New West Health Services, which does business under the name New West Medicare, recently reported a lost unencrypted laptop containing information on 28,000 individuals.
While security experts predict that cyberattacks will continue to wreak havoc in the healthcare sector in 2016, Herold advises healthcare entities and their business associates to be ready to prevent and respond to incidents caused by hackers, malicious insiders or stupid mistakes. But many organizations have problems carrying out multidimensional security efforts, she says.
"What I've consistently found ... is that those responsible for information security are trying to address information security management one topic at a time," she says. "When the focus goes only to mitigating one type of risk at a time, the other risks that exist will increase."
In addition to hacker attacks, insiders are often the culprits in major breaches, including incidents such as losing unencrypted computing devices, Herold says. "Add to that the security risks and problems that software, hardware and networks bring, and you have a wide variety of risks that must be addressed on an ongoing basis simultaneously."
Information security pros need to approach risk mitigation more like growing a garden, Herold suggests. "You need to attend to all the fruits and vegetables at the same time, and make sure all parts are weeded continuously. Otherwise there will be areas that are completely out of control."
Berger says good governance - and follow up - is vital. "Make sure you have the right policies in place, communicate them clearly and often throughout the organization, and enforce them," he says. Without enforcement, the best security policies become ineffective."