02-24-12 | Blog Post
Online Tech is in Las Vegas, site of the 12th Annual HIMSS Conference & Exhibition, exhibiting our HIPAA compliant hosting solutions and our HIPAA compliant clouds. Visit us at booth #13528! With over 300+ educational sessions on healthcare IT topics, we’re highlighting this particular session on healthcare security breaches:
Auditing Security: Lessons Learned From Healthcare Security Breaches
Adam H. Greene, J.D., M.P.H., Davis Wright Tremaine LLP, Washington, D.C.
Micahel “Mac” McMillan, CynergisTek, Inc., Austin, Texas
Major Takeaway Points and Personal Analysis of Statistics:
According to the Symantec 2011 report, data breaches rank the highest in the healthcare industry at 27 percent, trailed by education, government, and retail/wholesale sectors. When it comes to identities exposed, the financial industry leads at 23 percent, followed by transportation (22 percent) and insurance (17 percent).
Data breaches have risen 32 percent in 2011, according to the Ponemon Institute, and the widespread use of mobile devices has also added to the risk. What are the consequences? With an increase in number of incidents comes decreased productivity and major financial consequences.
The most reoccurring type of breach can be attributed to paper records, at 26 percent, followed by laptops at 22 percent. Other portable electronic devices rank at 16 percent and computers at 14 percent (based on reported breaches from Sept. 2009 to Dec. 2011).
While many in the healthcare industry view EHR/EMR systems to be the root cause or a catalyst to the rise in data breaches, the prevailing type of data breached can be attributed to physical or paper records. Breaches on a network server account for 10 percent of the total types, and electronic medical record systems account for only 2 percent. Backup tapes, hard drives, e-mail and other types of data breaches range between 0-6 percent of the total breaches.
Can the lack of security investments be a contributing factor to the rise in data breaches? One interesting statistic shows that healthcare spending on security seriously lagged behind industry averages – while the average spend on security is normally greater than 6 percent of the total IT budget, about 70 percent of healthcare companies reported allocating 3 percent or less of the budget on security.
The presentation also emphasizes the point that managing and tracking access to sensitive data (audit logging) should be part of the foundation of every IT security strategy/policy, but in reality, the average healthcare organization has a ton of uncoordinated systems, applications and users that create their own audit logs. I wrote on this topic previously in a blog post, Integrating IT Services: Cloud Computing & Compliance Concerns, revealing the gaps and consequences of the lack of IT integration/automation.
So who’s responsible? Another finding from the presentation shows that business associates are involved in 62 percent of the data breaches, as it relates to number of affected individuals, while covered entities were responsible for 38 percent. This supports the argument for Investing in a HIPAA Audit. But with covered entities shouldering most of the compliance burden, can we really blame business associates (although the HIPAA applicability/omnibus rule effective in March will hold them officially liable)?
Another statistic from the presentation shows the 2011 HealthcareInfoSecurity.com survey shows that 82 percent of covered entities ranked highly when it came to confidence in their business associates and subcontractor security controls. But the second statistic showed that 77 percent relied on their business associate agreement (BAA) alone to offer assurance of their compliance with no due diligence. While everyone that has a part in protecting PHI is responsible, covered entities need to also do their part in assuring controls have been tested against their security claims.
This was a great presentation with hard data to support their findings, and I think it raises valid and relevant points that healthcare covered entities and business associates alike can no longer afford to overlook.