A new report by healthcare IT security company Redspin concludes that hospitals need to do a better job of encrypting patient data to address the spiraling scale of security breaches. They also need to bridge the gap between the push by doctors and nurses to bringing (and using) their own devices to the workplace and enacting the necessary security measures to ensure that patient information contained on them is protected when these devices are subsequently stolen or lost.
The scale of the security breaches outlined in the report is staggering. Since the HITECH Act was enacted in 2009, 804 breaches affecting 29.3 million patient health records have occurred, according to Redspin’s report. In 2013 alone, 199 breaches compromised 7.9 million patient health records.
More than 80 percent of these breaches were caused by theft of laptops and digital media containing PHI. About 35 percent were lost devices, which have to be reported as theft unless the data is encrypted. Another 22 percent of the security breaches were caused by unauthorized access. One in five of these breaches was caused by a business associate — a group that now has liability as part of the HIPPA Omnibus final rule to update the act.
The report is basically a plea for hospitals to do a better job of preventing these breaches, particularly by educating their staff:
This should be a clarion call to the healthcare industry. The trajectory is predictable yet preventable. With PHI data on more portable devices used by more “under-educated” employees, it is a virtual certainty that there will be more breaches. Mitigating that risk must become a higher priority throughout the entire industry.
There are numerous benefits from electronic patient records including improving cost efficiency, care delivery and patient outcomes. The greatest benefit of digitizing patient health records is also its greatest weakness: It makes patient data readily available unless the necessary security measures are in place.
The downside of EHR is that it amplifies mistakes. In a single incident, the security of more than 4 million unencrypted patient health records in one office was compromised when four desktop computers were stolen from Advocate Health and Hospitals. The five largest breaches of patient information accounted for 85 percent of the total data breaches reported last year. Laptops stolen from Horizon Healthcare Services and AHMC Healthcare, coupled with the desktop theft, brought the number of computer breaches to three. Microfiche and paper records were involved in two of the incidents.
Among the recommendations of the report are:
1. Encrypt “data at rest.” The company believes that this should be made a mandatory HIPAA requirement, at least on portable devices. Had encryption been more widely deployed, the problem would have not have been so dire.
2. Do regular HIPAA risk analysis.
3. Implement monthly or quarterly vulnerability assessments to reduce the threat of hackers.
4. Conduct security awareness with staff and build culture of security among them
5. Be in regular contact with Business Associates on security issues. Redspin found that the percent of large-scale data breaches involving Business Associates plummeted from 56 percent in 2009-2012 to 10 percent last year. The HIPAA Omnibus rule and its delay may have made companies falling into this category more proactive about taking measures to avoid security breaches.
[Photo Credit: Pong]