Breach Reports: We've Only Just Begun

Experts hope publicity spurs compliance
Breach Reports: We've Only Just Begun
The list of 36 recent major breaches of healthcare information posted Feb. 22 on a government Web site likely represents a small fraction of all the significant breaches in healthcare in recent months, security experts say.

But they're hopeful that the prospect of organizations seeing their name on a list of those that have failed to adequately secure their information will be a strong catalyst for launching a comprehensive risk management effort.

And they assert that most of the listed breaches probably could have been prevented with the use of data encryption and more aggressive training of staff about security issues.

The posting

On Feb. 22, the Office for Civil Rights within the U.S. Department of Health and Human Services began posting on its Web site a list of organizations that have notified HHS about a breach of unsecured health information involving more than 500 individuals.

Under the HITECH Act's breach notification rule, such incidents must be reported to HHS and the media within 60 days. Smaller breaches must be reported to HHS annually and also will be posted on the Office's site.

(For details on the initial breach postings, click here.)

More to come

"I would expect that over time, we'll see a lot more breaches listed because there was a breach notification enforcement delay," says Melissa Bianchi, partner in the Washington law firm of Hogan & Hartson.

Although the breach notification rule took effect Sept. 23, HITECH called for a "grace period" until Feb 22, during which federal regulators would not impose penalties for violations.

Because of the grace period, Bianchi says, "A number of organizations spent the early part of the year getting their compliance plans in place, so they may not have reported breaches.

Time for action

Now, faced with the double-edged enforcement sword of potential penalties, plus the embarrassment of having their name on a list of organizations that failed to secure their data, Bianchi and others are hopeful that hospitals, physician groups, health insurers and their business associates will finally get their security acts together.

"Most organizations wait until the final date for compliance and enforcement before they actually start doing anything about any new regulation," says security consultant Rebecca Herold, owner of Rebecca Herold & Associates, Van Meter, Iowa. As a result, many hospitals and others are about discover just how big a job it is to prepare a risk management strategy and a breach notification plan, she notes.

The initial list of major breaches would have been much longer, experts say, if not for the breach notification rule's "harm threshold" provision. That controversial provision, devised by the U.S. Department of Health and Human Services, allows healthcare organizations to determine whether a particular data breach presents a "significant risk" and thus needs to be reported.

Tom Walsh, president of Tom Walsh Consulting LLC, Overland Park, Kan., cautions healthcare organizations to take a very systematic approach to assessing whether an incident constitutes "significant risk" and not alter the evaluation criteria on a case-by-case basis.

He advises organizations to use such resources as the North Carolina Healthcare Information and Communications Alliance's breach notification risk assessment tool, available for free at

Encryption in the spotlight

The initial list of breaches highlights the need for encryption, security experts say. That's because the majority of the cases involved the theft of laptops, other portable devices, CDs and hard drives that contained unprotected data. "The industry should understand and embrace encryption on portable media," says Kate Borten, president of the Marblehead Group, a security consulting firm based in Marblehead, Mass. "My guess is that in most theft cases, the data wasn't the target, but rather the device itself. But if the data on the device isn't encrypted, the theft is a breach." Under the HITECH Act, those organizations that use a specific form of encryption do not have to report breaches. Reported breaches involving such factors as mailing errors or phishing scams point to the need for more intensive staff training as well as security awareness campaigns, Herold says. (For an in-depth interview with Herold, click here.)

Tough to find

Borten expressed disappointment that the Office of Civil Rights buried the breach list, required under the HITECH Act, deep within its difficult to navigate Web site. "Congress intended this to be the wall of shame," she says. "Why bother posting it unless the public knows what's going on?" She also criticized federal officials for delaying the start of audits to measure compliance with the HIPAA privacy and security rules and for taking what she portrayed as a low-key approach to enforcement so far.

Stop procrastinating

Nevertheless, she urged organizations of all sizes to stop procrastinating and start complying. "When breaches can be prevented through reasonable measures, we have an obligation to implement them, even when there is a cost associated with it." (For an in-depth interview with Borten on security tips, click here). Walsh said it comes down to the old catch phrase "pay me now or pay me later." He stressed that investing in a solid risk management strategy now is far less expensive in the long run than dealing with the penalties and costs associated with a breach.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.