Preventing Breaches: Don't Forget Paper

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/preventing-breaches-dont-forget-paper-p-1690

It's well known that lost or stolen unencrypted computing devices account
for the majority of large health data breaches. But a new report from the
Department of Health and Human Services shines a light on how frequently
breaches - especially smaller ones - involve paper records.

The HHS' Office for Civil Rights recently submitted a new report, Annual
Report to Congress on Breaches of Unsecured Protected Health Information
for Calendar Years 2011 and 2012 as mandated under the HITECH Act.

I know what you're thinking. Yes, the report's breach stats are from
incidents that occurred two and three years ago. But it nevertheless sheds
some light on the need to pay attention to keeping paper records secure.

For example, in 2012, paper records were involved in 23 percent of major
breaches - those affecting 500 or more individuals. But that same year,
paper records were involved in 61 percent of smaller breaches.

"With much emphasis on electronic records and cybersecurity, it is
important for covered entities andbusiness associates to remember that
paper ... continues to be a major source of breaches," notes privacy and
security expert Kate Borten, founder of consulting firm the Marblehead
Group. "Misdirected faxes and mailings, along with improper disposal, were
main factors."

The report to Congress sheds some light on those smaller breaches that
don't grab many headlines. "The biggest surprise may have been that 61
percent of the small breach reports involved paper records," says privacy
attorney Adam Greene, a partner at law firm Davis Wright Tremaine and
former OCR official.

Here's a quick look at some of the statistics about smaller breaches -
incidents that are often overlooked:

- OCR received reports of more than 25,700 smaller 2011 breaches affecting
a total of about 152,00 individuals. Of these, almost 16,000 involved paper
records.
- OCR received approximately 21,200 reports of smaller 2012 breaches
affecting a total of approximately 165,000 individuals. Of these, almost
13,000 incidents involved paper records;
- Among the most common causes of smaller breaches are unauthorized access
or disclosure; theft and loss; and improper disposal.

Just recently, a breach involving paper records at Access Health CT, the
Connecticut state health insurance exchange for Obamacare, got plenty of
attention. On June 6, the exchange operated by Connecticut under the
Affordable Care Act revealed that a backpack containing four paper notepads
with handwritten information on about 400 consumers was found in a deli not
far from the exchange's Hartford call center (see Small Breach, Big Lesson
In Backpack).

A worker at the exchange's call center vendor, Maximus, left the office
with the notepads, which included included personal information on about
400 individuals, including some Social Security numbers.

This incident shows how seemingly small things can lead to big problems.

Steps to Take

Obviously, when it comes to protecting electronic data, steps such as
implementing encryptionand various security controls can help prevent
breaches. OCR also suggests improving physical security, such as by
relocating equipment or paper records to a more secure areas. Other steps
to help prevent breaches tied to paper records include implementing proper
disposal policies and procedures, and, of course, employee training. For
instance, training employees to shred paper documents before disposing of
them is a basic step that can be overlooked.

The OCR report also suggests imposing sanctions on workforce members who
violate policies and procedures for removing protected health information
from facilities or who improperly access PHI. In the case at Access Health
CT, the worker involved in the backpack breach has been has been placed on
administrative leave and has had all system access privileges revoked as
officials investigate the incident.

Despite the fact that the report to Congress dissects breaches from a few
years ago, it should serve as a reminder to both covered entities and
business associates that while digitized data is most often the focus for
privacy and security programs, paper records still need to be protected, as
well.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!