11-21-13 | Blog Post
It’s been a while since we checked in on the HHS Wall of Shame. At the time we discussed why Business Associates should invest in an independent HIPAA Audit (Jan 2012) , Business Associates were involved in 62% of the patient records breached.
As of November 18, 2013, Business Associates (BAs) have been involved in 46.4% of the 27,772,675 patient records breached and reported to HHS with over 500 individuals affected. Yes, that’s approaching 28 million patient records breached. Whether the smaller percentage of Business Associates involved can be attributed to better safeguards by BAs or the larger volume of PHI data breached by Covered Entities alone remains to be seen.
Regardless of Business Associate involvement, data breaches involving over 500 patient records are widespread across the United States, including the District of Columbia and Puerto Rico. In fact, all but one state has reported at least one breach involving more than 500 Patient records, with California, Texas, and Florida the unfortunate “winners” of the most data breach incidents reported to date.
Speaking to the reason behind the relentless focus on the need for encryption by HHS ONC Director Leon Rodriguez, the majority of PHI breaches involve theft or loss. In many cases, the application of basic encryption tools would have kept patient records and many Covered Entities and Business Associates off of the HHS Wall of Shame. In 2014, HHS ONC promises a close review of Business Associates, including cloud providers, that touch patient data “behind the counter” and out of view of the patient. There is expected to be extenuating circumstances and thorough documentation including a complete risk assessment by organizations choosing to treat encryption as “addressable”. It’s clear that encryption is not “optional”; if you don’t encrypt, expect to prove that you have alternative safeguards that protect patient data equally well. Increasingly, Covered Entities and Business Associates are working to include encryption of patient data at the core of their IT infrastructure.
Data breach by hacking or unauthorized access fell lower on the list of the causes. Implementation of protective safeguards like two-factor authenication, SSL certificates, and secure VPN tunnels can avoid some access problems and prevent “script kiddies” from using publicly available programs to compromise sensitive data. For the dedicated hacker targeting an organization, it can be more problematic to keep them out. If access credentials are compromised and a hacker is able to use someone’s login information to get into the system, then all the encryption and VPN tunnels in the world won’t protect patient data. This is where proactive daily log review (by a real human, albeit often aided by automatic scripts that trigger alerts), Web Application Firewalls, and File Integrity Monitoring (FIM) can give IT administrators early warning of unusual activity and prompt further investigation and mitigation as warranted. Increasingly, the bar for protecting patient data will rise and force CEs and BAs to fortify their approach to a comprehensive defense in depth strategy.
Still wondering what state has not yet reported a breach of more than 500 patient records? Check out the map and answer below.
Answer: Maine is the only state yet to report a data breach of more than 500 patient records. Here’s hoping they can stay off the HHS Wall of Shame!
Enjoy making your own heat maps at http://www.openheatmap.com
About the Author
April Sage has been involved in the IT industry for over two decades, founding first a technology vocational program, and secondly a bioinformatics company supporting the pharmaceutical industry in the development of research portals, drug discovery search engines, and other software systems. Currently, April is the Director Healthcare IT for Online Tech, focusing on HIT thought leadership and the impact of HIPAA/HITECH policy on IT infrastructure and systems. April holds a BGS from the University of Michigan, and is a cohort member of the University of Michigan’s inaugural 2014 Masters Health Informatics program, jointly sponsored by the UofM School of Public Health and UofM School of Information.