Breach List: A Call to Action?With so many incidents, security funding could get a boost
"The list could raise this issue to the attention of upper management, the people who provide the resources," says Lisa Gallagher, senior director, privacy and security at the Healthcare Information and Management Systems Society.
Some hospitals already are using the list to build awareness. "We have been using it in our training," says Terrell Herzig, information security officer at UAB Medicine, Birmingham, Ala., which owns a 1,000-bed hospital and many clinics. The security officer also shares breach list updates with senior management as he advocates his breach prevention strategy.
About 70 percent of the incidents reported so far have involved the theft or loss of computer devices or paper records. Many have involved missing or stolen laptops, portable hard drives or flash drives.
As a result, healthcare organizations should have their eyes wide open to the risk posed by portable devices and make sure that they are using adequate physical security, encryption or both, Gallagher and Herzig say.
They also advise organizations to:
Under the HITECH Act breach notification rule, healthcare organizations must report breaches affecting more than 500 individuals within 60 days to the HHS Office for Civil Rights and the news media in addition to sending letters to all those affected.
"The breach list is a good wakeup call for the industry to go look at their policies and procedures and physical security and make sure they have control over all the portable devices they deploy," Gallagher says.
"I'm starting to feel that the very basic security activities, including training, appear to be lacking. But organizations may also lack appropriate policies and procedures, such as rules for what you can and cannot do with portable devices and what the consequences are if you lose a device."
The value of encryption
The HITECH Act contains a safe harbor exempting organizations from reporting breaches if the information involved is encrypted in a certain way.
UAB Medicine has encrypted all its laptops and has shifted to encrypted USB flash drives as well, Herzig says. Plus, it has taken the extra step of installing Computrace LoJack for Laptops, which can track a device when it's stolen.
In one recent incident, a Boston physician had his unencrypted laptop stolen while he was visiting South Korea for a lecture. But the computer contained a tracking device that later was used to disable the hard drive, rendering information permanently unreadable.
Addressing all risks
Herzig cautions against simply encrypting and protecting laptops without taking a broader risk management approach that pinpoints all areas of risk and addresses them. For example, based on its risk assessment, UAB now shreds its hard drives and flash drives before disposal. "The last thing we want is for somebody to find something on the street," he notes.
The largest breach incident reported so far involved the theft of 57 hard drives at a closed call center of BlueCross BlueShield of Tennessee.
Staff education also is vital, Herzig stresses. "Educate them about the threat and about the policies and then re-educate them."
Gallagher laments that the breach list seems to confirm a lack of physical security, given how common thefts are. Hospitals and others need to write policies and then educate staff about such basic steps as locking laptops inside desks, locking doors and not leaving devices inside cars, she says.
"If you're not going to encrypt the device, you'd better protect it in other ways."
She also argues that healthcare organizations should carefully consider whether it's necessary to store sensitive patient information on so many laptops and flash drives, given the high level of risk involved.
Don't forget the paper
"With all the focus on electronic data, it's important not to forget about the paper records," Gallagher stresses. For example, files should be kept under lock and key, and documents should be shredded before they're thrown away.
When organizations experience a breach, they should conduct a "post-breach analysis" to determine the intent behind the breach, such as medical identity theft, assess the risk of a similar incident occurring, and take appropriate preventive measures she says.
Another eye-opener on the breach list is the case of Affinity Health Plan, which involved leased copier machines. The insurer was unaware that the machines it returned contained hard drives storing patient information.
Herzig points out that some copiers have a solid state drive instead of a hard drive, which can be even more difficult to detect. And he points out that in addition to removing hard drives when returning a leased machine, hospitals should take steps to ensure that a repairman doesn't remove a drive and take it with him when servicing a copier.
What's on the horizon?
Although the federal breach list does not yet include a massive hacking incident, Herzig predicts that it's only a matter of time before hackers find a way to steal information from smart phones that healthcare professionals use. That's why he's investigating options for using new technology to encrypt data on phones or requiring all staff to use one type of phone that offers the best security features.
Keeping patient information private and secure amounts to controlling a business risk that could severely harm an organization, Gallagher stresses. But getting funding to adequately address the issue is challenging, she acknowledges.
That's why she's hopeful the shock value of the federal breach list will help hospitals and clinics win financial support for thorough risk assessments and investments in appropriate security technologies.