Health Breaches: 6.3 Million AffectedFederal List of 214 Incidents Raises Awareness
The tally, mandated under the HITECH Act, has served as an eye-opener, making many healthcare organizations much more aware of their security risks. Fear of bad publicity from reporting a security incident is also proving to be a powerful motivator for breach prevention. "We need to get more vigilant," notes Charles Christian, CIO at Good Samaritan Hospital in Vincennes, Ind. His hospital is updating its risk assessment and investing in several new technologies aimed at preventing breaches.
The breach list also has called attention to the No. 1 threat: The loss or theft of unencrypted computer devices, which account for 57 percent of all incidents so far. And roughly 27 percent of the major breaches involve the theft or loss of a laptop.
Encryption an IssueThe HITECH breach notification rule includes a "safe harbor" that exempts the reporting of breaches of information that was encrypted using a specified standard.
"The most immediate issue for most healthcare organizations is encrypting laptops," says Kate Borten, president of the Marblehead Group. "Getting less attention, but still important, is the issue of encrypting backup tapes and disks stored offsite. But once laptops and backups are encrypted, the harder challenge is securing other portable devices and media, such as smart phones and USB drives. I see this as the next major challenge, and I believe it will be the major pain point for years to come."
Thanks to the federal breach list, hospitals are now paying much closer attention to the potential high cost of dealing with breaches, says Richard Jankowski, information security officer at Memorial Sloan-Kettering Cancer Center in New York. "It gives organizations a lot of justification for spending money on encryption."
Sloan-Kettering has encrypted all its laptops. In 2011, it will encrypt thumb drives as well as sensitive information in back-end databases as part of its ongoing breach prevention campaign, Jankowski explains.
Healthcare organizations need to develop a better understanding of how encryption fits as just one of many components in a broader security strategy, says Mac McMillan,, CEO at CynergisTek. For example, he advises organizations to consider limiting the numbe of devices where patient information resides and applying encryption only for devices and data for which there is no other acceptable control mechanism.
Breach List UpdateThe Department of Health and Human Services' Office for Civil Rights began posting incidents to its breach list on Feb. 22 for cases dating back to Sept. 22, 2009. The office tracks cases affecting 500 or more individuals. Of the breaches reported so far, 47 occurred in 2009 and 167 in 2010.
Since Nov. 22, 23 incidents affecting a total of 975,000 were added. Some 921,000 individuals were affected by four incidents in Puerto Rico, but the cases may include overlapping victims. Officials at the HHS Office for Civil Rights were unavailable to provide clarification.
As reported earlier, about 400,000 Puerto Ricans enrolled in the government's health insurance plan for the impoverished have potentially been affected by a breach incident involving unauthorized access to an Internet database. Subsidiaries of Triple-S Management Corp., a holding company that runs Blue Cross and Blue Shield plans and serves as a government contractor, were listed in three of the four Puerto Rican incidents. The other incident involved Medical Card System, another insurer. Triple-S and Medical Card System spokesmen were unavailable for comment.
Breach Notification RuleUnder the HITECH Act's interim final breach notification rule, breaches affecting 500 or more individuals must be reported to the HHS Office for Civil Rights and the news media, as well as the individuals affected, within 60 days.
A final version of the breach notification rule, which could further clarify exactly what types of incidents need to be reported, is still in the works. The interim final version of the rule contains a controversial "harm standard" that allows organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm and merits reporting.
So far, roughly 21 percent of the major breach incidents reported have involved business associates -- vendors that have contracts with healthcare organizations and have access to protected health information.
A proposal to modify the HIPAA privacy, security and enforcement rules makes it even more clear that business associates, as well as their subcontractors, must comply with the rules. The final version of that proposed rule is expected early in 2011.
Largest Health Information BreachesIn addition to the Puerto Rico incidents, the largest breaches in the federal tally involve:
- AvMed Health Plan, which alerted more than 1.2 million about a breach related to the theft of a laptop.
- BlueCross BlueShield of Tennessee, which informed nearly 1 million individuals about a breach stemming from the theft of 57 hard drives from a closed call center.
- South Shore Hospital, which reported a breach involving the loss of backup computer tapes that could affect 800,000.
- Affinity Health Plan, which notified about 345,000 about a breach related to returning leased copy machines that contained hard drives with patient information stored on them.