Preventing Breaches: Don't Forget PaperHHS Report: Most Smaller Incidents Involve Paper Records
It's well known that lost or stolen unencrypted computing devices account for the majority of large health data breaches. But a new report from the Department of Health and Human Services shines a light on how frequently breaches - especially smaller ones - involve paper records.
See Also: Attack Surface Management: Improve Your Attack Surface Visibility
The HHS' Office for Civil Rights recently submitted a new report, Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012 as mandated under the HITECH Act.
With much emphasis on electronic records and cybersecurity, it is important for covered entities and business associates to remember that paper continues to be a major source of breaches.
I know what you're thinking. Yes, the report's breach stats are from incidents that occurred two and three years ago. But it nevertheless sheds some light on the need to pay attention to keeping paper records secure.
For example, in 2012, paper records were involved in 23 percent of major breaches - those affecting 500 or more individuals. But that same year, paper records were involved in 61 percent of smaller breaches.
"With much emphasis on electronic records and cybersecurity, it is important for covered entities and business associates to remember that paper ... continues to be a major source of breaches," notes privacy and security expert Kate Borten, founder of consulting firm the Marblehead Group. "Misdirected faxes and mailings, along with improper disposal, were main factors."
The report to Congress sheds some light on those smaller breaches that don't grab many headlines. "The biggest surprise may have been that 61 percent of the small breach reports involved paper records," says privacy attorney Adam Greene, a partner at law firm Davis Wright Tremaine and former OCR official.
Here's a quick look at some of the statistics about smaller breaches - incidents that are often overlooked:
- OCR received reports of more than 25,700 smaller 2011 breaches affecting a total of about 152,00 individuals. Of these, almost 16,000 involved paper records.
- OCR received approximately 21,200 reports of smaller 2012 breaches affecting a total of approximately 165,000 individuals. Of these, almost 13,000 incidents involved paper records;
- Among the most common causes of smaller breaches are unauthorized access or disclosure; theft and loss; and improper disposal.
Just recently, a breach involving paper records at Access Health CT, the Connecticut state health insurance exchange for Obamacare, got plenty of attention. On June 6, the exchange operated by Connecticut under the Affordable Care Act revealed that a backpack containing four paper notepads with handwritten information on about 400 consumers was found in a deli not far from the exchange's Hartford call center (see Small Breach, Big Lesson In Backpack).
A worker at the exchange's call center vendor, Maximus, left the office with the notepads, which included included personal information on about 400 individuals, including some Social Security numbers.
This incident shows how seemingly small things can lead to big problems.
Steps to Take
Obviously, when it comes to protecting electronic data, steps such as implementing encryption and various security controls can help prevent breaches. OCR also suggests improving physical security, such as by relocating equipment or paper records to a more secure areas. Other steps to help prevent breaches tied to paper records include implementing proper disposal policies and procedures, and, of course, employee training. For instance, training employees to shred paper documents before disposing of them is a basic step that can be overlooked.
The OCR report also suggests imposing sanctions on workforce members who violate policies and procedures for removing protected health information from facilities or who improperly access PHI. In the case at Access Health CT, the worker involved in the backpack breach has been has been placed on administrative leave and has had all system access privileges revoked as officials investigate the incident.
Despite the fact that the report to Congress dissects breaches from a few years ago, it should serve as a reminder to both covered entities and business associates that while digitized data is most often the focus for privacy and security programs, paper records still need to be protected, as well.