The Internet Isn’t to Blame for HIPAA BreachesSeptember 16, 2013 by Melissa McCormack
At Software Advice, our analysts talk on the phone every day with dozens of medical practices considering an electronic health records (EHR) purchase. One common concern we hear is related to the security of patient information.
Are electronic records—particularly those that are hosted “in the Cloud”—really secure? Don’t Cloud-based systems just put all that protected information out there on the Internet where hackers can nab it?
We’ve written about this issue before. Years ago we commented on the double standard of physicians who use online banking for their personal finances but won’t entertain the idea of Cloud-based EHRs. In 2011, Software Advice analyst Michael Koploy reported that Cloud-based EHRs seemed to be relatively more secure than their counterparts.
Massive HIPAA breaches (like Dallas, TX company Shred-it abandoning 277,000 microfiche patient records in a public park) have been getting a lot of ink lately, and concerns over patient data safety certainly aren’t dwindling. So I decided an up-to-date analysis of HIPAA breach data was in order. I analyzed public data on reported breaches impacting 500 or more individuals from the Department of Health and Human Services (HHS).
After slicing and dicing the data several ways, I’ve concluded that the Internet still isn’t to blame for HIPAA breaches.
HIPAA’s Biggest Breaches
Here’s a snapshot of the five biggest breaches reported to the HHS to date. (Reporting began in February 2010 and is up-to-date through the end of August 2013.)
|Health Organization||Individuals Affected||The Story|
|TRICARE Management Activity (Virginia)||4,901,432||This military health care provider’s business associate (Science Application International Corporation) “lost” backup tapes. Reports suggest the tapes were stolen from the back of an SAIC employee’s parked car.|
|Advocate Health Care* (Illinois)||Over 4 million||Four unencrypted computers were stolen from an Advocate Health administrative building.|
|Health Net, Inc. (California)||1,900,000||A facility belonging to a business associate (IBM) “misplaced” nine servers. Health Net also had a previous offense from 2009, when it lost a hard drive containing 7 years’ worth of data on 1.5 million patients. More recently, in April and May of 2013, a Health Net address mix-up compromised the data of over 8,000 individuals.|
|New York City Health & Hospitals Corporation’s North Bronx Healthcare Network||1,700,000||Unencrypted backup tapes were stolen from a van operated by a business associate (GRM Information Management Services).|
|AvMed, Inc. (Florida)||1,220,000||Two laptops were stolen from an AvMed facility. One encrypted laptop was recovered; the other, which was unencrypted, was not.|
*The incident at Advocate Health Care made the news in late August, but has not yet been officially documented on the HHS website.
These five biggest breaches are generally representative of the entire data set, which consists of 659 total incidents (plus the Advocate Health Care incident which I’ve added manually), impacting a total of 26.8 million individuals. The key themes, which I’ll delve into in more detail in this report, are that theft, loss, and unauthorized disclosure top the list of breach types, and in many cases, business associates (BAs) play a part in the breach.
Business Associate Breaches Affect Millions
HIPAA “covered entities” (healthcare providers and groups to whom HIPAA applies) engage business associates (BAs) to carry out some aspect of their business. For example, a provider may contract with a business associate to securely dispose of old records. If you’re a covered entity, you know that HIPAA allows covered entities to share protected health information (PHI) with BAs, so long as those BAs give “satisfactory assurances” that they’ll treat the data carefully.
Combing through the HHS raw data, I noticed that BAs were listed as having been involved in a significant number of breaches. Upon further analysis, I found that out of 660 reported incidents, 22 percent involved BAs.
Percent of Incidents with Business Associate (BA) Involvement
More concerning is that BAs tended to be involved in breaches involving more individuals; in fact, out of the 26.8 million individuals whose data has been breached, 48 percent were impacted by breaches involving BAs.
Percent of Impacted Individuals with BA Involvement
This widespread BA involvement in HIPAA breaches is perhaps a result of historical ambiguity surrounding the obligations and liability of BAs—a problem which is already being addressed by the Office for Civil Rights (OCR).
The HIPAA Omnibus Rule, which was effective March 26 of this year, strengthens the OCR’s HIPAA enforcement powers and clarifies issues of liability for BAs as well as their sub-contractors. Compliance with the Omnibus Rule will be required beginning September 23, 3013. The Rule should clarify the obligations and liabilities of providers working with BAs and BAs working with sub-contractors, which will hopefully lead to a decrease in BA involvement in breaches.
What does this mean for you? If you are a covered entity (or BA), most immediately you’ll need to be in compliance with the Omnibus Rule by September 23. There are plenty of helpful resources online you can reference if you need help preparing for the compliance deadline. But beyond near-term compliance, the key takeaway is that you should vet your BAs carefully to ensure they’ll take patient privacy as seriously as you do.
The Internet Accounts for Few of Overall HIPAA Breaches
I mentioned before that some providers are concerned that EHRs and Cloud-based storage pose a security threat. Let’s take a look at those concerns.
Firstly, let’s address the Cloud. Internet or Cloud-based storage can seem scary; you’re putting data out in the ether, in an intangible storage space. The concern here is hacking. The risk of physical theft and loss are greatly minimized when data are stored online, so the real means by which data could be breached is via hacking.
But Cloud-based storage providers take security very seriously. They’re highly motivated to create impregnable fortresses for data so they can attract and retain customers. And the HHS data actually indicate that Internet storage is relatively more secure than other storage methods. Only eight percent of breaches reported since 2010 have involved hacking.
Percent of Incidents Involving Hacking
What about EHRs more generally? Whether Cloud-based or “on premise” (stored on physical servers), EHR involvement is limited. According to the HHS data, only three percent of all reported incidents involved EHRs.
Percent of Incidents Involving Electronic Health Records (EHRs)
Theft, Unauthorized Access and Loss Are Most Common
If hacking isn’t the biggest threat to patient data, what is? Theft, unauthorized access or disclosure and loss account for the biggest shares of the pie.
Type of Breach
This is frustrating, because many of these issues are avoidable. Consider theft: to some extent theft may be inevitable, but as I mentioned, storing data in the Cloud greatly reduces the risk of theft. If someone steals your computer, they still can’t access patient data, because those data aren’t stored on your device.
Even if your data aren’t in the Cloud, simply encrypting your electronic devices could accomplish a similar end. All of the top-five biggest HIPAA breaches involved the theft or loss of unencrypted devices. The unstructured notes that accompany the HHS data are full of references to providers who added encryption to their facility’s devices after a breach occurred. Why not be safe from the outset and encrypt any device that stores the private health information of patients?
Unauthorized access and disclosure is a troubling problem because it involves employees willfully violating privacy laws, as in the notable case of curious hospital employees illicitly accessing George Clooney’s records. The simple adherence to regulations on the part of employees would eliminate this problem.
Loss is perhaps the most baffling category. For example, referring back to the five biggest breaches in reported history, Health Net and its business associate IBM reportedly “misplaced” nine servers containing the records of almost two million patients. I’m not even sure how that happens, but loss implies that the fault lies with the PHI holder—meaning it’s within the power of the PHI holder to prevent.
Paper and Unencrypted Devices Are Least Safe
We’ve covered the most prevalent types of breaches. Now let’s take a look at where breached data were stored. Paper weighs in as the least secure storage medium, with 23 percent of incidents involving paper storage.
Digital storage on physical unencrypted devices (such as laptops, phones and servers) occupies a nice chunk of the pie due primarily to theft. This again emphasizes the importance of encrypting such devices. Paper and unencrypted electronic devices together account for the vast majority of breaches, which suggests that the move toward the Cloud makes patient data more, rather than less, secure.
Medium of Breach
Methodology and Limiting Factors
Although I used raw data downloaded from the publicly-available HHS site, I did some manual cleanup, described here.
Some breaches listed multiple types or locations. In those cases, I re-labeled types and locations as “combination.” However, in determining when hacking was involved, I included combination cases that listed hacking as one of multiple types. (Ditto for EHRs with cases that listed EHRs as one of multiple storage locations.)
I manually streamlined inconsistencies such as: alternate references to “email” and “e-mail”; inconsistent use of slashes (/) vs. commas (,); and misspellings (e.g., “electonic” instead of “electronic”).
I corrected obvious instances of incorrect dates, such as an incident reported on November 31, 2011 (there are only 30 days in November; I discovered the incident actually took place on December 31, 2011) and an incident reported in the future (listed as December 2013; I ascertained the incident actually took place in December 2012).
Unknown Breach Types
While I suppose not an actual reporting error, I was concerned by the number of incidents where breach type was listed as “unknown.” While unknown breaches accounted for a small portion of overall incidents, there were a total of over 2 million individuals impacted by breaches where the breach type was simply never identified.
The healthcare industry has a moral and legal obligation to protect patient health information. Each breach is a violation of those obligations. The industry needs to get collectively smarter about security.
What’s the answer? I see a few opportunities for individual organizations to improve.
Unauthorized Access and Loss
Implement thorough, recurring training for employees. Many providers involved in breaches note having done this after a breach, but organizations should do this proactively to prevent costly breach incidents. Make sure staff knows what is expected of them by their employer and the federal government, including not accessing or sharing data without authorization, and safeguarding data from loss.
Using technology to prevent unnecessary access can also be helpful in mitigating that risk. For example, Beth Israel Deaconess recently used lessons learned from its own painful breach experience to prevent unauthorized access of the records of a high-profile patient: Boston marathon bombing suspect Dzhokhar Tsarnaev. The hospital restricted access to the patient’s records, and employees seeking access to the data had to receive special permission.
Theft and Loss
I’ve said it already, but I think it bears repeating: encrypting electronic devices can prevent information on those devices from being accessible if stolen or lost. This is more secure than a lock on a filing cabinet. I’d like to see the HHS require encryption by law, rather than simply suggesting it as they do now. Another way to help neutralize the threat of theft and loss is to store data in the Cloud. However you do it, make sure that if someone steals your devices, they can’t access the information within.
For further reference, I’ve made the raw data I used in this analysis available here.
Thumbnail image created by Gwyneth Anne Bronwynne Jones.