Health Breach Tally: Cause for Optimism?The Stats Are Improving, But What's Ahead?
So far, the statistics on major health data breaches for 2013 look encouraging. And the stats for 2012 showed substantial improvement vs. 2011. But could we see a surge in breach reports after organizations begin using updated federal guidance about how to assess whether to report a breach? Only time will tell.
See Also: Attack Surface Management: Improve Your Attack Surface Visibility
First, let's take a look at the latest breach statistics. We've been crunching the numbers monthly since the Department of Health and Human Services' Office for Civil Rights began posting its "wall of shame" on its website. That tally, mandated by the HITECH Act, includes breaches affecting 500 or more individuals that have been confirmed by federal investigators since late September 2009, when the original breach notification rule kicked in.
What's incredible is that the problem of lost or stolen unencrypted devices and media shows no sign of fading away.
Let's start with the big picture. As of May 21, the ongoing tally lists 600 breaches affecting more than 22 million people. More than half of breaches have involved lost or stolen unencrypted computer devices or media. And more than 20 percent have involved a business associate of some sort.
The wall of shame now shows more than 140 breaches occurred in 2012, affecting a total of almost 2.6 million individuals. Only six breaches affected at least 100,000; those incidents impacted a combined total of 1.7 million individuals.
The 2012 figures represent a significant improvement from 2011, when there were about 160 breaches affecting roughly 11 million individuals - including eight incidents impacting an astounding combined total of about 10 million.
Although federal officials continually add incidents - sometimes dating back a year or more - to the tally, it's clear that the breach numbers look a lot better for 2012 than 2011. And that's good news, indeed. But what about 2013?
So far, the tally lists about 29 breaches affecting a total of more than 120,000 individuals this year. That's right, no whopper breaches are on the list - at least not yet. But it's still way too early to jump to any conclusions about how the breach numbers will look for this year.
What's incredible, however, is that the problem of lost or stolen unencrypted devices and media shows no sign of fading away. For 2013, almost 60 percent of incidents stemmed from this cause. Last year, the percentage was about the same. And the lack of improvement in this arena is mind boggling.
Our recent Healthcare Information Security Today survey offers hope that healthcare organizations are taking the right steps to address this issue. The top two breach prevention action items for this year are stepping up training on privacy and security issues and encrypting mobile devices and removable media.
If encrypted devices are lost or stolen, the information they contain is far less likely to be breached. As a result, such losses or thefts don't have to be reported to authorities.
Another important breach prevention strategy, but one that is not always practical, is to ban the storage of patient information on portable devices. Roughly half of the organizations we surveyed prohibit storage of patient data on mobile devices.
But training is also an essential breach prevention step. Folks need constant reminders; let's face it, we're all forgetful. Staff members needs to be reminded not to leave their laptops in plain view inside their parked cars. They need to be reminded to make sure any patient data on their computers is encrypted. They need to be told again and again that that they must use only secure e-mail for transmitting sensitive data. Annual training is insufficient.
But even if breach prevention efforts improve, we could soon see an increase in the number of major breaches reported to federal authorities. That's because the HIPAA Omnibus Rule spells out objective guidance for how to assess whether a security incident is a reportable breach. The vague "harm standard" language in the original breach notification rule was far too tough to interpret. The new guidance outlines how to do a more precise risk assessment to size up the threat to patient data. And that guidance was long overdue.
Will the new breach notification guidance, in fact, lead to more breaches making their way to the federal wall of shame? That's the expectation of many regulatory experts. We'll have to wait and see. The omnibus rule won't be enforced until September, and organizations can use the old - or the new - notification guidance until then.
My fingers are crossed that the trend toward far fewer gigantic breaches that we saw in 2012 will carry over into this year. And as federal officials continue to ramp up HIPAA enforcement and publicize hefty fines for violations, that will go a long way, indeed, toward motivating healthcare organizations of all sizes to ramp up breach prevention efforts.