Privacy & Security

Shocks and surprises in new breach trend studies

Healthcare organizations need to constantly assess the maturity of their information risk management programs
By Bob Chaput
May 11, 2015
01:52 PM

Since 2010, HHS has documented more than 1,000 major data breaches (where each incident involved the compromise of more than 500 patient records). Now we’re starting to see some in-depth analyses of those breaches. In the new issue of the Journal of the American Medical Association (JAMA), there’s a study that concludes that 29 million medical records were compromised between 2010 and 2013.

The JAMA study also found that six of the breaches involved at least one million records each – and more than one third of all breaches occurred in just five states: California, Texas, Florida, New York and Illinois.

The study was accompanied by an earnest editorial subtitled “The Importance of Good Data Hygiene.” The authors called for a total overhaul of HIPAA, which they described as “antiquated and inadequate.” They noted that HIPAA doesn’t adequately regulate the use of Protected Health Information (PHI) by “digital behemoths” like Apple, Google, Facebook and Twitter.

In addition to the JAMA report, our company did an extensive analysis of 2014 data breach trends summarized here. We thoroughly documented 89 of those breaches, and we excluded the huge Community Health Systems breach so it wouldn’t skew the other data. Here are the most important trends we spotted:

Non-digital breaches still a problem – In the 89 incidents, paper breaches accounted for 9 percent of compromised records in the first half of 2014 – and 31 percent in the second half. Nearly 200,000 paper records were compromised, plus about 60,000 pieces of individually identifiable health information ranging from lab specimens to x-rays. Obviously, it’s still vitally important to safeguard the confidentiality of non-digital health records. Organizations must clarify and enforce policies and procedures to achieve that goal.

Theft of portables still a concern -- We confirmed the loss or theft of 12 portable computing devices last year – and the lack of appropriate physical safeguards was a major contributing factor. In addition to taking greater common-sense precautions, organizations should use whole-disk encryption and other technical safeguards to render PHI unusable, unreadable or indecipherable to unauthorized people. Policies and procedures for portable device security need to be clearly communicated to all employees – and workforce training needs to involve much more than a dry online tutorial.

Watch out for rogue employees and business associates – We uncovered 45 incidents involving company insiders that resulted in the compromise of nearly half a million records. In other words, about half of all the data breaches were the result of mistakes or malice by an organization’s own people. It’s impossible to prevent every workforce-related breach, but everyone in the organization needs to be on the lookout for unusual activities that could spell trouble. All employees and BAs need to know that the hammer will come down – swiftly and consistently – on insiders who intentionally compromise patient data.

No organization should shout “hooray” simply for avoiding an Anthem-scale breach. There are many other incidents – improper disposal of paper records, misplaced x-rays, employee snooping, and more – that can still do a lot of financial and reputational damage. Those are the types of breaches that even a HIPAA tech-fix can’t solve.

These breach trend summaries agree on one main point: healthcare organizations need to constantly assess the maturity of their information risk management programs – and not view them as a narrowly defined “HIPAA compliance” duty.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Capitol rotunda at sunset
Congress releases AI policy blueprint

Most Read

Aidoc, NVIDIA intro new plan to speed AI adoption in healthcare
Winning cybersecurity warfare is the ultimate millstone for CISOs
A passwordless future for clinicians? Industry paper points to a new paradigm
White House OMB is reviewing proposed cybersecurity updates to HIPAA
HC3 alerts providers of Scattered Spider threat
New Oracle EHR promises AI-enabled reinvention

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

More Stories

Dr. Eric Liederman, CEO of CybersolutionsMD
Q&A: CybersolutionsMD CEO on preventing cyberattacks
Change healthcare booth
Nebraska sues Change Healthcare over ransomware attack
Vijayashree Natarajan of Omega Healthcare on AI
Three for 2025: data security, cancer informatics and agentic AI
Capitol Hill
Congress looks set to extend telehealth and hospital-at-home flexibilities
Josh Di Frances at LG NOVA_Top down view of startup team Photo by NanoStockk/iStock/Getty Images Plus
What a startup pitch competition shows about IT innovation
Ravi Teja Karri of Froedtert Health on AI
Using AI and ML in predictive analytics for bed demand forecasting
Abstract image of AI brain and technology
ASTP updates HHS AI Use Case Inventory for 2024
Female doctor on laptop smiles at patient in foreground who is taking notes
Report shows overwhelming doctor support for virtual care