After carefully analyzing U.S. healthcare data breaches from 2009 to Q2 2012, Health Information Trust Alliance’s (HITRUST) believes the healthcare industry hasn’t done enough to prevent healthcare organizations from repeating the same security mistakes over and over.
While breaches affecting 500 or more individuals have declined slightly over the past three years, the industry’s susceptibility to certain types of breaches has been largely unchanged since breach data became available from the U.S. Department of Health and Human Services (HHS) and the new HIPAA and HITECH Act regulations went into effect. Because there has been a heavy amount of breaches since Q2 2012, it’s more important to focus on HITRUST’s explanations of “how” and “why”.
HITRUST looked at HHS breach data from the 495 breaches involving 21 million records that cost an estimated $4 billion since 2009. Though HITRUST says that there were only 14 breaches reported in the first two quarters of 2012, that figure has obviously expanded over the next two quarters at a more rapid rate. The group also believes that Stage 1 Meaningful Use has forced providers to become more vigilant about laptops, desktops and mobile media security. The HITRUST report and accompanying infographic are both on the HITRUST site.
But data shows that awareness hasn’t elevated to progress just yet, as HITRUST says that the providers “lack the awareness and resources in order to adequately recognize the issues and take actions to preempt future breaches.” This absence of fundamentals is compounded by the growing popularity of healthcare information exchanges because their unsecured data may affect others as well.
Two ways to resolve this situation, according to HITRUST, include providing cost-effective solutions to healthcare providers and continuing to offer high-level security education that features way to identify and correct risks. “By conducting and publicizing this analysis, we believe that over time we can facilitate a fundamental shift in the healthcare industry toward achieving a state of security and privacy that is on par with other leading industries,” said Daniel Nutkis, chief executive officer, HITRUST, told MarketWatch.com. “While the data itself is not terribly surprising, it does serve as a critical reminder of the education and improvement that still needs to occur across the industry, regardless of organization type and size.”
HITRUST also came up with these security areas of concern:
- Even in this electronic age, breaches of paper records remain significant among the leading segments (providers, payers, government) with errors in mailing and disposal of records playing a substantial role in some of the highest profile paper-based breaches. Since 2009, paper records comprise 24 percent of healthcare breaches, second only to laptops.
- Business associates continue to account for a significant number of breaches (21 percent) and are implicated in a majority of the records breached to-date (58 percent). This continues to be a problem across all organization types, with physician practices struggling the most.
- The average time to notify individuals and HHS following a breach is 68 days, with over 50 percent of organizations failing to notify within the 60 day deadline set by HITECH.
The results of HITRUST’s analysis of breach data are influencing updates to the 2013 version of the HITRUST CSF – available in January 2013 – and modifications to the CSF Assurance Program.