BreachExchange mailing list archives
HIPAA Data Breaches on the Rise
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 14 Apr 2015 19:06:59 -0600
http://www.medpagetoday.com/MeetingCoverage/HIMSS/50983 The number of health data breaches has been increasing in recent years, and the most frequent type was theft, Marion Jenkins, PhD, said here at the annual meeting of the Healthcare Information and Management Systems Society. Since 2009, there have been 1,185 data breaches as defined by the Health Insurance Portability and Accountability Act (HIPAA), said Jenkins, who is chief strategy officer at 3t Systems, a healthcare consulting firm in Denver. And the pace is accelerating, with an increase of more than 50% in the last 12 months. Breaches have so far affected 133 million patient records. The smallest reported breach was of 441 records at the Hospice of Northern Idaho. "You don't have to be a really large organization to end up on the list," Jenkins said. The largest breach involved 80 million records at the health insurer Anthem; the latter case, which involved hacking, was "particularly disturbing" because it involved both employee and patient data, he added. Paper, Electronic Data Covered HIPAA requires providers to "secure all electronic protected health information against accidental or intentional causes of: unauthorized access, theft, loss or destruction, from either internal or external sources," Jenkins explained. HIPAA security regulations govern electronic records, while HIPAA's privacy rules apply to paper records. Healthcare providers should also be aware that in addition to regulating the privacy of paper records, HIPAA also covers data from all types of electronic media -- not just EHRs and data stored on laptops and computers, but also any data that winds up on memory sticks and cards, smartphones, and even fax machines and copiers, since most of them aren't just fax machines and copiers any more but also function as scanners and printers, which means they hold electronic data, Jenkins said. The amounts of money involved can be astronomical, according to Jenkins, who noted that two companies with large breaches -- Sutter Health and SAIC -- are both facing multibillion-dollar class action lawsuits. In terms of the cause of the breaches, thefts were the most common, at 55%, followed by unauthorized access (19%) and "loss" (12%). The rest of the breaches -- 14% -- were listed as "other," according to Jenkins, citing data from the Department of Health and Human Services. The largest single source of data breaches has been laptops, accounting for 25% of breaches. That fact "begs the question: why is healthcare data on a laptop?" Jenkins said. Laptop theft is a particular problem: Stanford Children's Hospital in California is a five-time data breach offender, and at least three of the breaches involved laptops being stolen from physicians' cars. Laptops were followed by paper records (23%), other portable electronic devices (12%), computers (11%), and servers (10%). Another 19% were listed as "other." Making It Easier to Do the Right Thing One reason people end up having protected health information on a laptop is that, in many cases, it takes so long to get into the EHR system that people think, "'By golly, when I get into the system, I'm going to download the data and put it on my local workstation so I can get some dang work done," Jenkins said. "As IT professionals, we have to design and implement systems that make the right way the easiest way. "It won't work to try to make longer usernames and passwords, because they'll just put in the longer usernames and passwords and download the data so they can work on it locally; that drives them even more toward the behavior we don't want them to do. We need to have the cloud services [be] the fastest way rather than downloading the data so they can get their work done." Some organizations say they don't have anything to worry about because they use an electronic health record (EHR) that is "HIPAA-certified." However, said Jenkins, there are two problems with that assertion; first, there is no such thing as a HIPAA-certified EHR. Second, "the EHR isn't the problem ... it's the user behavior when they're pulling reports, pulling data out of the EHR and then having a breach with that," he said. Moving healthcare data to the cloud does not necessarily solve a problem with data breaches. Although some cloud services are HIPAA-compliant, "most public cloud services [such as Gmail and Hotmail] are not," Jenkins said. "And if you have poorly designed and poorly run IT, and you simply move it to the cloud, you just shifted your local problems to the cloud; you didn't solve them." If, on the other hand, moving records to the cloud is done properly, "it's a heckuva lot better than having [the data] on a laptop," he added. What's Missing From HIPAA There are some things the HIPAA regulations don't address, Jenkins said, such as how long passwords have to be or how often they should be changed. Regulations also don't address timeout or logoff intervals or the type of encryption required for use with Wi-Fi -- technically, that means WEP encryption is HIPAA compliant, even though it's easily breached, he noted. He said he was "shocked" that the words "laptop" and "smartphone" don't appear in the HIPAA regulations. What are the biggest data breach threats to a healthcare organization? That depends on the amount of records being held. Those with 500,000 to 1 million records are attractive targets to hackers; but "in little organizations, the biggest threat is from an internal user," he said. "Now that credit card companies can shut down cards quickly once they are stolen, credit card numbers aren't worth very much to hackers, maybe a dollar each on the open market," Jenkins said. "Health records are five to ten times more valuable [because] they can use them to do unauthorized or fraudulent Medicare or Medicaid billing; they set up a sweatshop where they can bill over and over again."
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- HIPAA Data Breaches on the Rise Audrey McNeil (Apr 21)