Breach report shows modest improvements

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.healthcareitnews.com/news/new-healthcare-breach-report-sheds-light

A new report suggests some improvement with regard to healthcare data
breaches in 2012, compared with previous years. Still, the study shows
there's much work to be done.

The report, conducted by IT security assessment provider Redspin,
examines some 538 incidents affecting more than 21.4 million
individuals since the interim breach notification rule under the
HITECH Act went into effect in August 2009.

Although findings show a massive 77 percent decline in the number of
patient records compromised in breaches, that's accompanied by a 21.5
percent increase in the number of large data breaches. According to
the report, more than 2.4 million patients were impacted by some 146
breaches investigated by the Department of Health and Human Services
in 2012. That's no small number.

"While the breach data shows improvement year-over-year, we caution
against complacency," said Daniel W. Berger, president and CEO of
Redspin, in a statement. "Clearly the increase in the number of health
providers who conducted HIPAA Security Risk Assessments in 2012 had a
positive impact. But continuous and durable security requires
continuing investment and effort – it is an ongoing process of
vigilance."

[See also: HHS makes 'sweeping' changes to HIPAA.]

Findings also suggest that the majority of breaches (57 percent)
involve business associates. Moreover, report officials say these
business associates have impacted more than five times the number of
patients than covered entities have in regards to data breaches.

"The recently-published HIPAA Omnibus Rule now requires business
associates to comply with HIPAA privacy and security regulations
directly and extends civil liability to BAs for PHI breach," said
Berger. "This is a major regulatory change. But health providers
should not just assume all BAs will comply – they need to be
proactive, working closely with their business partners to build a
secure 'chain of PHI custody.'"


Additionally, according to the report, the lack of encryption on
laptops and other portable electronic devices is the cause of more
than one-third of PHI breaches (38 percent).

[See also: Stanford reports fourth HIPAA breach.]

Lastly, Redspin officials warn that personal health records are
high-value targets for cybercriminals, as they can be exploited for
identity theft, insurance fraud and falsified prescriptions. Although
there has been a relatively low incident rate of hacking among all PHI
breaches to date, Berger says last year's attack on the Utah
Department of Health – where some 780,000 Medicaid and Children's
Health Plan records were targeted – "may be the canary in the coal
mine."
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.