With the increasing incidences of healthcare related breaches, providers must become more diligent in securing protected health information (PHI).
The HITECH Act, implemented and enforced by HHS, CMS, and OCR, and recently updated and finalized in the HIPAA Omnibus Rule seems to be having a slight positive impact on security. Even though payers and providers have stepped up their game securing data; the risks for data loss are still present.
According to Redspin, a healthcare IT security firm, there has been an explosion of protected health information security incidents over the past five years. For example, the following is a summary of healthcare breach highlights from 2009 through 2013:
– 804 breaches of protected health information since 2009
– 29,276,385 patient health records affected by breach since 2009
– 7,095,145 patient health records breached in 2013
– 137.7% increase in the number of patient records breached in 2012-2013
– 85.4% of the total records breached in 2013 resulted from the 5 largest incidents
– 4,029,530 records breached in the single largest incident
– 83.2% of 2013 of patient records breached in 2013 resulted from theft
– 22.1% of breach incidents in 2013 resulted from unauthorized access
– 35% of 2013 incidents were due to the loss or theft of an unencrypted laptop or other portable electronic device
– 20% of protected health information (PHI) breaches have involved a business associate each year from 2009-2013
The Annual Report to Congress on Breaches of Unsecured Protected Health Information for 2011 and 2012 identified the type of breaches, the causes of data breach and the source of data breaches. They are listed in order as follows:
Breaching Entity
1. Providers
2. Business Associates
3. Health Plans
Causes of Data Breach
1. Theft
2. Loss of PHI
3. Unauthorized Access
4. Hacking/IT incident
Sources of Breach
1. Laptop
2. Paper
3. Server
4. Desktop Computer
5. Other Portable Device
6. Email
7. Electronic Medical Records
8. Other
Here are some steps to protect patient’s health records and data in your organization:
1. Provide security awareness and privacy education training for your staff
2. Review and update your physical security and access control policies
3. Update the controls to protect networks to ensure safeguards against unauthorized users accessing PHI through such mechanisms as:
– Computer auto-locking and screen saver locks
– Unique usernames and password protection
– Extensive logging of computing activity
4. Physical access controls that include, but are not limited to the use of:
– CCTV coverage 24×7
– Proximity badge access and logging controls
– Periodical review of access rights and reconciliation
5. Incident Response
6. Adherence of Red Flag Rules
7. Develop a comprehensive incident response program to ensure proper and prompt identification of potential threats to physical and data network
8. Train the staff on proper notification channels if patient information compromise
9. Perform internal quarterly security risk assessments to ensure ongoing compliance and gap remediation between evaluation periods
10. Contract with a third-party security firm annually to perform a security assessment
More entities are following the advice of experts and updating (or creating) their security risk mitigation strategies for protected health information to secure their data and prevent breaches from occurring in the future. Let’s hope the results in 2014 shows a decline of security events. If so, I think we’ll all sleep better at night.