In February, the Health Information Security/Privacy Alert released a summary of HIPAA enforcement actions and data compromise statistics. The numbers provide a jarring story for those entities that are obligated under HIPAA/HITECH. For instance, according to the OCR statistics used for the report, just 20% of the known breaches accounted for 79% of breached records. Even more telling, the loss or theft of back-up tapes affected almost 6 million patients. On a related note, insiders are having an increasingly deleterious impact on patient privacy and data security in general.
These statistics highlight two points of failure that are having a tremendous impact on patient privacy, but that can both be addressed using similar technology. We will briefly address each issue and how covered entities and business associates can take steps to protect their patients from the impact of stolen back-up tapes or the actions of misguided or mal-intentioned insiders.
In September of 2011, SAIC reported that back-up tapes containing medical records of 4.9 million TRICARE patients were stolen from an employee’s vehicle. Both TRICARE, a military insurance program for military personnel and their families, and SAIC treated the theft as a data breach; the implication of that treatment is that the data was unencrypted. Back-up systems and tapes often present a data protection challenge for companies, yet unencrypted back-up tapes poses a significant risk to any organization, not just those obligated to regulations such as HIPAA/HITECH.
Additionally, malicious insiders, who accounted for 67 of the HIPAA reported compromises, continue to have a negative impact on the protection of patient privacy. The HHS reported that impermissible uses and disclosures of PHI were among the most frequently reported incidents. According to the 2011 Verizon Data Breach Report (the 2012 report is to be released this Spring), insiders, whether through malicious intent or through negligence, accounted for more than 60% of investigated breaches. Furthermore, the report states that, “investigators determined that nearly all internal breaches (93%) were the result of deliberate malicious activity.” Such statistics reveal a blatant need for greater access control with respect to Protected Health Information.
Understanding that scarce resources and a difficult economy can often shift priorities, one might ask how to determine which data security projects to undertake or how many resources to devote? Unfortunately, there is no “one-size-fits-all” answer to that question. Each organization has their own risk threshold, and so may perceive, calculate, and prioritize risks differently. As with any data security initiative, controls should be implemented commensurate with the identified risks. For this reason, it is important to conduct a risk analysis to identify and prioritize risks to the company data. During this exercise, the company will detail what types of data are resident in the environment and assign a sensitivity level to each type. Part of the assessment of risk to data is to determine how valuable that data might be to thieves. An assessment of the environment and its potential vulnerabilities should also be included in any risk analysis. The overarching goal of the risk analysis effort is to root out the factors that would negatively impact the confidentiality, integrity or availability of the data. In addition, businesses may weigh the cost of implementing data security processes and technology against the potential impact of a breach. Not only is a risk assessment a fine tool for garnering information, it is actually required by many data protection laws, including HIPAA.
The statistics around HIPAA violations continue to emphasize the growing need for robust data protection around patient information. While some of the breaches may be accidental or due to negligence and not specific intent, enforcement agencies do not parse out the intentions of those who are responsible for the exposure. Their only concern is whether the data was adequately protected and whether patients are put at risk. Implementing robust data protection in the form of encryption, access controls, and strong key management can help companies manage risk and maintain compliance.