The year 2012 saw a 21.5% increase in the number of large breaches vs. 2011, but an encouraging 77% decrease in the number of patient records affected.
This reflects recent numbers from the Open Security Foundation, which found that the number of global data breaches across all verticals reached 2,644 last year, more than doubling the number of incidents in 2011. Despite the rise in frequency though, they accounted for the exposure of 267 million records – a significant improvement over the 412 million records exposed in 2011.
According to the Redspin Breach Report 2012, 67% of all breaches in the US healthcare vertical were the result of theft or loss, with hacking contributing to just 6% of incidents, both in number of breaches and number of individuals affected. A full 38% of incidents stemmed from an unencrypted laptop or other portable electronic device – and this suggests a serious issue when it comes to internal best practices for data protection.
Redspin cautions that when the new HIPAA omnibus rule is factored into the equation, organizations could have much more exposure when it comes to breach consequences. That rule widens the scope of regulation to include business associates.
Redspin said that historically, breaches at business associates have impacted five times as many patient records as those at a covered entity. In 2012, more than half (57%) of all patient records breached involved a business associate.
“We recommend hospitals conduct a specific portfolio risk analysis as it relates to the dozens or even hundreds of vendors, contractors and consultants they work with,” Redspin noted.
The report also found that the majority (63.9%) of total records breached in 2012 resulted from the five largest incidents, including the largest, at the Utah Department of Health, which saw 780,000 records breached by hackers in two incidents. The next-largest breaches occurred at Emory Healthcare, the South Carolina Department of Health and Human Services, Alere Home Monitoring and Memorial Healthcare, which together totaled 762,094 compromised records.
Since August 2009, US-based organizations have reported 538 large protected health information (PHI) breaches of more than 21.4 million patient records to the Secretary of Health and Human Services (HHS).
Healthcare organizations can implement some safeguards against breaches going forward, Redspin said. For one, conduct a HIPAA Security Risk Analysis. Then, implement a regular process for ongoing vulnerability scanning and remediation, and integrate those reports into IT security risk assessments. And, of course, insist on encryption of data on all portable devices. Lost or theft of unencrypted portable devices has made up over a third of all large breaches to date.
It would also behoove organizations to conduct regular, frequent and engaging security awareness training for all employees. “This requirement has been included in every breach resolution agreement negotiated between OCR and an offending covered entity,” Redspin said.
The stakes remain high, despite patient records exposure declining in 2012. “In recent years, IT security has risen to the level of enterprise risk in many industries,” Redspin said in the report. “Data breaches can cause significant financial harm, reputational damage, and loss of consumer confidence. In healthcare, that risk is not limited to an individual hospital or business associate. It is an industry-wide threat to the continued adoption of electronic health records – the foundation for improving cost efficiency, care delivery and patient outcomes within the US healthcare industry.”