Follow Us

Close
Like what you're reading?

Subscribe to receive periodic updates about new posts by email, or follow us via Twitter or RSS.

Please enter a valid e-mail address to subscribe.

Close
Close

You have subscribed.

HHS Data Tells the True Story of HIPAA Violations in the Cloud

 

At Software Advice, we speak on the phone every day with physicians who are researching electronic health records (EHR) software. We commonly hear that they’re afraid to switch to a system that puts their health records “in the cloud.” Their fear is that patient records will be out there on the Interweb, just waiting to be hacked.

We’ve written about this misconception plenty and even touched on the double-standard of using web banking while eschewing cloud-based EHRs. Just a hunch, but I bet more hackers want my credit card information than my HDL/LDL ratio.

Now, the US Department of Health and Human Services (HHS) is disclosing on its website all health record security breaches that affect more than 500 people. This provides a trove of data to back up our assertions that cloud-computing is safe. Of course, it’s all relative.

Type of Breach - Number of HIPAA Violations

Behold the “Wall of Shame”

Known as the “Wall of Shame,” the HHS website details 281 Health Insurance Portability and Accountability Act (HIPAA) security violations that affected more than 500 individuals as of June 9, 2011. Overall, physical theft and loss accounted for about 63% of the reported breaches. Unauthorized access / disclosure accounted for another 16%, while hacking was only 6%.

Reading through the violation notes, I was astounded to learn the real stories behind these violations:

  • 6,800 paper records that were supposedly mailed but never received;
  • an impostor posing as a recycling-service employee stealing over 1,300 individuals’ records and films; and,
  • a laptop stolen by a former employee that contained personal health records of over 50,000 patients.

Hardcore hackers like LulzSec aren’t compromising our health records; healthcare professionals and everyday thieves are.

Carelessness, Theft to Blame for HIPAA Violations

The vast majority of HIPAA violations weren’t instances of professional hacking or Ocean’s 11-esque intrusion. Most were a result of poor internal security, petty theft, or neglegence. That holds true for even the largest violations on record.

Here are the top five violations on record – based on the number of individuals affected – according to the HHS:

ProviderYear
Individuals Affected
How Data Was Breached
Health Net2011
1,900,000
Portable disk driven stolen from Health Net’s California office.
NYC Health & Hospitals Corporation2010
1,700,000
Hard drives storing health record information stolen from the back of a van.
AvMed2009
1,220,000
Laptops stolen from the corporate office in Gainsville.
Blue Cross Blue Shield of Tennessee2009
1,023,209
Hard drives storing health record information were stolen from an IT closet.
South Shore Hospital2010
800,000
Disk drives were lost when being transported to a contractor for destruction.

These violations accounted for a whopping 6.74 million individuals’ health information being compromised, all because of four instances of theft, and a disk drive that was lost on its way to the electronic guillotine. In terms of individuals affected, these five violations represent 61% of the reported HIPAA violations on the HHS website.

Electronic Storage Theft #1 Reason for HIPAA Violations

While computer networks were breached in 12% of instances, they weren’t the most common scene of the crime. Instead, electronic storage devices (e.g. hard drives) and paper records were the most common breach locations.

Breach Location - Number of HIPAA Violations

If we drill down a little deeper to focus on the largest category – electronic storage devices – most violations were due to theft and loss.

How Electronic Devices Were Breached (HIPAA Violations)

There Are Only Seven EMR Violations on the Wall of Shame

The HHS categorized only seven breaches wholly or partially involving EMRs. Did these EMR violations involve on-premise systems or systems based in the cloud? Most of these entries lacked details into how exactly the breaches occurred, so I did some investigative reporting to uncover what really happened.

ProviderYear
Individuals Affected
How Data Was Breached
Keith W. Mann, DDS2009
2,000
On-premise system servers (managed by Professional Computer Services) hacked.
Daniel J. Sigman MD2009
1,500
Backups of on-premise system were stolen from Dr. Sigman’s home.
Kaiser Permanente Medical Care Program2009
15,500
Portable hard-drive was left inside a van. Van was then stolen.
Texas Health Arlington Memorial Hospital2010
654
Poorly trained employees marked electronic charts incorrectly in an on-premise system.
Mayo Clinic2010
1,740
Employee found snooping on patients’ records using Mayo Clinic’s on-premise EHR system.
NYC Health & Hospitals Corporation2010
1,700,000
Hard drives from an on-premise system stolen from the back of a van.
South Shore Hospital2010
800,000
Hard drives from an on-premise system lost on their way to a contractor for destruction.

All seven violations involved on-premise systems. Considering the flack cloud systems have received, in general, this is a great vindication for the cloud.

And it makes sense. In a cloud-based system, no data is stored on the local device (i.e. computer). All of the data is hosted on the software company’s server and accessed through a web browser when needed. If someone steals a computer, there’s no patient data on it.

These security breaches were indeed severe and affected many individuals’ lives. But only one involved a high-tech hacker. Most were carelessly lost, or simply stolen – the same reason there were over 30 reported instances of compromised paper records, and 50 violations involving stolen laptops.

HIPAA Violations Aren’t in the Cloud

Some have said that increasing the number of EMRs make our records more vulnerable. I’d cite the above data to argue otherwise. Paper records and portable devices are the weakest link in HIPAA security. The systems themselves – and certainly cloud-based systems – have a pretty good track record. HIPAA violations aren’t happening in the cloud. Rather, they’re happening in the doctor’s office, hospital IT closets, cars, subways, and homes.

And the statement that cloud-based EMR systems are more vulnerable to security breaches simply isn’t supported by facts. Of course, it remains to be seen if this holds true as more cloud-based systems are deployed. As more physicians move their records to the cloud, the opportunity for breaches will increase.

If my doctor asked me how to ensure patients’ data is secure, I would offer the following: go to the cloud. Web-based EMRs eliminate the most common security risks because there aren’t physical files to be compromised. And no matter your system, it’s essential to train your staff on the necessary security measures to ensure patient privacy is a systematic imperative.

Oh, and as for my final professional recommendation about how to avoid HIPAA violations: don’t leave your work laptop in a coffee shop. Don’t leave your storage container of paper records on a city bus. And for Pete's sake, lock your car.

Share this post:  
Michael Koploy

About the Author

Since joining Software Advice in 2011, Michael Koploy's work has been cited in a variety of online publications, including ReadWrite, O'Reilly, The New York Times and SYS-CON. Michael manages content related to the Business Intelligence (BI) market for Software Advice, writing on BI tools and applications, (big) data-related news and industry trends.

Connect with Michael Koploy via: 
Email  | Google+