HIPAA Data Breaches on the Rise

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.medpagetoday.com/MeetingCoverage/HIMSS/50983

The number of health data breaches has been increasing in recent years, and
the most frequent type was theft, Marion Jenkins, PhD, said here at the
annual meeting of the Healthcare Information and Management Systems Society.

Since 2009, there have been 1,185 data breaches as defined by the Health
Insurance Portability and Accountability Act (HIPAA), said Jenkins, who is
chief strategy officer at 3t Systems, a healthcare consulting firm in
Denver. And the pace is accelerating, with an increase of more than 50% in
the last 12 months. Breaches have so far affected 133 million patient
records.

The smallest reported breach was of 441 records at the Hospice of Northern
Idaho. "You don't have to be a really large organization to end up on the
list," Jenkins said. The largest breach involved 80 million records at the
health insurer Anthem; the latter case, which involved hacking, was
"particularly disturbing" because it involved both employee and patient
data, he added.

Paper, Electronic Data Covered

HIPAA requires providers to "secure all electronic protected health
information against accidental or intentional causes of: unauthorized
access, theft, loss or destruction, from either internal or external
sources," Jenkins explained. HIPAA security regulations govern electronic
records, while HIPAA's privacy rules apply to paper records.

Healthcare providers should also be aware that in addition to regulating
the privacy of paper records, HIPAA also covers data from all types of
electronic media -- not just EHRs and data stored on laptops and computers,
but also any data that winds up on memory sticks and cards, smartphones,
and even fax machines and copiers, since most of them aren't just fax
machines and copiers any more but also function as scanners and printers,
which means they hold electronic data, Jenkins said.

The amounts of money involved can be astronomical, according to Jenkins,
who noted that two companies with large breaches -- Sutter Health and SAIC
-- are both facing multibillion-dollar class action lawsuits.

In terms of the cause of the breaches, thefts were the most common, at 55%,
followed by unauthorized access (19%) and "loss" (12%). The rest of the
breaches -- 14% -- were listed as "other," according to Jenkins, citing
data from the Department of Health and Human Services.

The largest single source of data breaches has been laptops, accounting for
25% of breaches. That fact "begs the question: why is healthcare data on a
laptop?" Jenkins said. Laptop theft is a particular problem: Stanford
Children's Hospital in California is a five-time data breach offender, and
at least three of the breaches involved laptops being stolen from
physicians' cars.

Laptops were followed by paper records (23%), other portable electronic
devices (12%), computers (11%), and servers (10%). Another 19% were listed
as "other."

Making It Easier to Do the Right Thing

One reason people end up having protected health information on a laptop is
that, in many cases, it takes so long to get into the EHR system that
people think, "'By golly, when I get into the system, I'm going to download
the data and put it on my local workstation so I can get some dang work
done," Jenkins said. "As IT professionals, we have to design and implement
systems that make the right way the easiest way.

"It won't work to try to make longer usernames and passwords, because
they'll just put in the longer usernames and passwords and download the
data so they can work on it locally; that drives them even more toward the
behavior we don't want them to do. We need to have the cloud services [be]
the fastest way rather than downloading the data so they can get their work
done."

Some organizations say they don't have anything to worry about because they
use an electronic health record (EHR) that is "HIPAA-certified." However,
said Jenkins, there are two problems with that assertion; first, there is
no such thing as a HIPAA-certified EHR. Second, "the EHR isn't the problem
... it's the user behavior when they're pulling reports, pulling data out
of the EHR and then having a breach with that," he said.

Moving healthcare data to the cloud does not necessarily solve a problem
with data breaches. Although some cloud services are HIPAA-compliant, "most
public cloud services [such as Gmail and Hotmail] are not," Jenkins said.
"And if you have poorly designed and poorly run IT, and you simply move it
to the cloud, you just shifted your local problems to the cloud; you didn't
solve them."

If, on the other hand, moving records to the cloud is done properly, "it's
a heckuva lot better than having [the data] on a laptop," he added.

What's Missing From HIPAA

There are some things the HIPAA regulations don't address, Jenkins said,
such as how long passwords have to be or how often they should be changed.
Regulations also don't address timeout or logoff intervals or the type of
encryption required for use with Wi-Fi -- technically, that means WEP
encryption is HIPAA compliant, even though it's easily breached, he noted.

He said he was "shocked" that the words "laptop" and "smartphone" don't
appear in the HIPAA regulations.

What are the biggest data breach threats to a healthcare organization? That
depends on the amount of records being held. Those with 500,000 to 1
million records are attractive targets to hackers; but "in little
organizations, the biggest threat is from an internal user," he said.

"Now that credit card companies can shut down cards quickly once they are
stolen, credit card numbers aren't worth very much to hackers, maybe a
dollar each on the open market," Jenkins said. "Health records are five to
ten times more valuable [because] they can use them to do unauthorized or
fraudulent Medicare or Medicaid billing; they set up a sweatshop where they
can bill over and over again."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!