Health Breach Tally: 30 Million VictimsExperts Analyze the Latest Trends
More than 30.6 million individuals have been affected by major healthcare data breaches since September 2009, according to the latest tally from federal regulators. And looking ahead, some security experts believe that the nature of many large breaches will shift, with business associates being implicated more often.
As of March 28, there were 931 breaches posted on the Department of Health and Human Services' Office for Civil Rights "wall of shame" website, which lists incidents affecting 500 or more individuals since September 2009, when the HIPAA breach notification rule first went into effect under the HITECH Act.
Of those, about a quarter have involved business associates, who are now directly liable for HIPAA compliance under the HIPAA Omnibus Rule, which went into effect last year. Those business associate-related breaches affected almost 15 million individuals, or about half of the total number of people affected by all breaches on the list.
And some security experts expect that business associates will likely be implicated in even more breaches in the months to come. That's because not only are more vendors, including many cloud services providers, now considered business associates under HIPAA Omnibus, but the method to assess breaches for notification has changed as well.
Under the HIPAA Omnibus Rule, breach assessments must be based on at least four objective factors, rather than the previous, more subjective, "harm standard." Those four factors include: the nature and extent of the protected health information involved; the unauthorized party who used the protected health information or to whom the disclosure was made; whether PHI was actually acquired or viewed; and the extent to which the risk to the PHI has been mitigated.
Jeff Cobb, chief information security officer at Capella Healthcare, which owns or operates 14 acute care and specialty hospitals in six states, notes: "For covered entities, I don't think the [new approach to breach] assessments will impact the number of breaches being reported; however we'll see a spike with BAs," he says. "BAs have always been on the hook with HIPAA breaches, but HIPAA Omnibus solidifies it."
Security expert Dan Berger says business associates are starting to wake up to their responsibilities under HIPAA Omnibus.
"We are seeing very encouraging signs that large business associates are taking HIPAA compliance seriously and conducting risk assessments," says Berger, president and CEO at Redspin, an IT security assessment company.
"But business associates often have a more difficult task in securing PHI than providers," he notes. "The nature of the services they provide may involve Web applications, multiple data stores, less HIPAA-aware employees and downstream vendors. In addition, a BA may provide similar services to other non-healthcare customers. Thus, the surface area for potential breaches is greater."
Lost or stolen unencrypted devices are the most common cause of breaches listed on the wall of shame. And Berger expects such breaches to remain common. That's because a misperception that end-user device encryption is costly continues to prevail, he says.
And it's not just unencrypted mobile devices that have been implicated in major breaches. "I think the desktop theft at Advocate Medical Group, which was last year's largest breach, has brought the issue of desktop encryption to the forefront," Berger says. "But we don't see many providers moving toward this yet. The bigger question at Advocate seems to be why there were so many health records on those desktops."
The July 2013 theft of four unencrypted computers from an office of Advocate, a Chicago-area physician group practice, may have exposed information on about 4 million patients. A class action suit filed against Advocate in August alleges the breach put the patients at risk for fraud.
Cobb says the number of breaches involving lost or stolen unencrypted devices could drop as encryption becomes more common. Meanwhile reported breaches involving hackers or other unauthorized access could grow as the use of breach detection technologies, such as audit tools and log management systems, increases.
The soon-to-be-released Healthcare Information Security Today survey shows that audit tools or log management systems were the top security technology investment planned by healthcare organizations for 2014.
"Monitoring and audit logs give more visibility, you'll find [activity] that you weren't aware of before," Cobb says. Also, as more healthcare organizations role out Web portals to provide patients access with their electronic health information - a requirement of HIPAA and the HITECH Act electronic health records incentive program - new vulnerabilities to data will emerge, he says.
Among breaches added to the HHS website in recent weeks was an incident related to a three-day hacker attack in December against an onsite server at St. Joseph Health System in Bryan, Texas, which exposed information on about 405,000 individuals.
"Unauthorized access as a whole is likely to spike whether from external hacking or insiders," Berger says. "It is only logical that a high value asset such as personal health records will attract malicious and nefarious interest."
To address those threats, "in addition to risk assessments, we strongly recommend penetration testing, better access controls, and network hardening to our healthcare clients," he says.