12-10-12 | Blog Post
HITRUST did an analysis of U.S. healthcare data breaches from 2009 to the present. Some of the information they have found is somewhat demoralizing; the data breaches analyzed were instances where 500 or more individuals were affected, and there’s been little change to the overall number over this time span. The healthcare data breach total from 2009 forward is up to 495, involving around 21 million records. The cost associated? About 4 billion dollars.
There were sections of the healthcare industry that have successfully lowered their instance of breaches. Hospitals and health systems, for instance, saw a 71% decline from 2010 to 2011. However, some areas of the healthcare industry, most notably physician practices, are not showing any progress. HITRUST assumes the lack of change in numbers is due to smaller facilities not having the awareness, nor the resources, to accurately and efficiently identify and resolve potential issues. This finds a correlation in the data that 60% of breaches within this subset are from practices that have less than 100 total employees. Smaller practices might not have as much money set aside for training their staff on data security, or have weak spots when maintaining the internal, administrative, and technical safeguards that comprise HIPAA compliance. Especially with the push for electronic data sharing and interconnectivity between facilities, this can pose a threat that has the potential to spread up into larger organizations.
Many smaller facilities are still using paper records too, which were involved in around 24% of breaches; a significant portion. Also, Business Associates (BAs) were implicated in 58% of cases and accounted for 21% to date. This is found within all organization types, and highlights the importance of getting a Business Associate Agreement (BAA). BAAs help define the role of both parties, as well as ensuring that the BA takes the appropriate measures in order to implement and uphold the safeguards necessary to help prevent a data breach.
Check out the five questions to ask your Business Associates, to find out more about the information that’s important when working with BAs. The information found by HITRUST is being used to help modify the CSF Assurance Program, which is working to align itself with meaningful use requirements, as well as give more standardized audit guidance.
View the full HITRUST breach report and infographic on HITRUSTAlliance.net.