Fewer Health Breaches, But Same CulpritLoss, Theft of Unencrypted Devices Still a Problem
Midway through 2013, an apparent decline in major healthcare data breaches, compared with last year, continues. Lost or stolen unencrypted devices and media continue to account for about half of all breaches, according to the official federal tally. And some organizations, including Stanford Medicine, have struggled with multiple incidents.
As of June 25, the Department of Health and Human Services "wall of shame" lists 619 breaches dating back to September 2009 affecting a total of about 22.2 million individuals. About 55 percent of those breaches have involved lost or stolen unencrypted computing devices and media of all types, including mobile. The HHS tally tracks breaches affecting 500 or more individuals since the HIPAA breach notification rule went into effect.
The list includes 42 breaches that have occurred this year, affecting a total of about 175,000 patients. By comparison, there were about 150 incidents in 2012 affecting a total of 2.6 million patients and about 160 breaches in 2011 affecting 11 million.
This year, Stanford's Lucile Packard Children's hospital has had two incidents - one in January and one in May - involving stolen unencrypted laptops. Those two breaches affected a total of about 70,000 individuals. Stanford University's healthcare units, known collectively as Stanford Medicine, have had five major breaches since 2010 (see: Fifth Stanford Breach Leads Roundup).
"It's been very frustrating," says Bill Lazarus, Lucile Packard information security officer, about the most recent breaches. "We do have an aggressive implementation under way to prevent vulnerabilities." That includes an array of administrative and technical controls, many which have been fully implemented, he explains.
The stepped-up efforts at the children's hospital, as well as at Stanford Medicine units, include mandatory encryption of mobile and fixed devices, including biomedical systems; a new mobile device management system; and a new security information event management, or SIEM, system.
The unencrypted laptop stolen in May, which contained information on 13,000 patients, was an older computer that was "defective and broken and set for decommission," Lazarus says. It had been slated for replacement and was scheduled for collection when it was stolen, he adds.
In addition to Stanford-issued mobile devices, all personally owned mobile devices used by Stanford Medicine employees also are required to be encrypted. Plus, Stanford Medicine has implemented a new mobile device management system from Airwatch to monitor whether encryption is implemented and to enable remote wipe capabilities on mobile devices.
The MDM system primarily is used to monitor Apple iOS and Android devices, Lazarus says. While Mac laptops can be supported by the MDM, Windows-based laptops are not, he says. So Stanford is assessing the addition of an "endpoint security" solution that will allow tracking of off-network devices and remote wiping of Windows-based laptops, he says.
Stanford Medicine also is rolling out a new SIEM system that will help the organizations monitor and investigate unusual activity of its systems, Lazarus says. This will provide Stanford with improved event correlation enabled through customized rule sets, he explains. For instance, if a failed user login recurrence threshold is exceeded, and is correlated with a specific user access group, an actionable alert is created.
So far, the federal tally of major breaches includes no 2013 incidents affecting 100,000 or more individuals. In 2012, there were six incidents affecting 100,000 or more people - with a total of 1.7 million individuals impacted. In 2011, there were eight mega-incidents, affecting a combined total of about 10 million people.
Federal officials have added 19 incidents to the tally in the past month. Those newly listed incidents, which affected a total of 116,000, included seven breaches that involved lost or stolen unencrypted computing devices or media.
The recent Stanford breaches are not yet on the "wall of shame." Incidents are added to the tally when federal officials confirm the details. The tally does include, however, three earlier Stanford Medicine breaches. Those include a September 2011 breach, in which Stanford Hospital & Clinics reported that a business associate's subcontractor posted information on a website about 20,000 patients treated in a hospital emergency department. Another incident in August 2012, affecting 2,500 patients, involved the theft of an unencrypted computer from a physician's locked office. A third incident at Lucile Packard Children's Hospital in January 2010, involving a lost unencrypted computer, affected 532 individuals.
Since 2009, 22 percent of the 619 incidents on the HHS wall of shame have involved business associates. For 2013, so far, that figure stands at almost 30 percent.
Under the HIPAA Omnibus Rule, which has a Sept. 23 compliance deadline, business associates and their subcontractors are directly liable for data breaches.
Stanford Medicine isn't the only major California provider organization to experience multiple breaches.
Sutter Health, which operates 24 hospitals and numerous other facilities in Northern California, earlier this month reported its third major breach since October 2011.
A recent drug raid by police in California resulted in Sutter Health notifying about 4,500 of its patients about a security incident. A notice posted on Sutter's website June 7 says that during the law enforcement investigation, officials discovered information pertaining to patients of several Sutter facilities. That information included patient's names, Social Security numbers, dates of birth, genders, addresses, ZIP codes, home phone numbers, marital status, name of employers and work phone numbers. An investigation continues.