Even after various compliance requirements and regulations went into effect, the healthcare industry has not had much success in reducing data breaches, according to an analysis of data breaches from 2009 to 2012.
The number of total breaches at health care institutions remained fairly consistent even after breach reporting became mandatory in 2009, according to an analysis of health care related data breaches released by the Health Information Trust Alliance (HITRUST) on Wednesday. While some segments are seeing a decline in the number of breaches, recent spikes make it unclear whether the improvement will continue, HITRUST said in the report.
Smaller physician practices, those with less than 100 employees, accounted for over 60 percent of breaches analyzed in the report. In contrast, data breaches at hospitals and health systems declined by about 46 percent from 2010 to 2011, and HITRUST predicted a 36 percent decline from 2011 to 2012. There were only 14 data breaches at hospitals and health systems in the first two quarters of 2012, and HITRUST estimates there will be 41 cases in full year 2012.
“While the data itself is not terribly surprising, it does serve as a critical reminder of the education and improvement that still needs to occur across the industry, regardless of organization type and size,” Daniel Nutkis, CEO of HITRUST, said in a statement.
HITRUST analyzed 459 breaches affecting 500 or more individuals in the healthcare sector from 2009 to October 2012. HITRUST estimated the breaches cost the industry $4 billion and resulted in a total of 21 million patient records being exposed. The average breach compromised about 42,659 records and cost organizations $8.3 million, HITRUST found.
The information in HITRUST's survey came from the United States Department of Health and Human Services.
While the decline in breaches among larger institutions may seem reassuring, the bad news is that HITRUST does not think all the breaches are being reported to HHS or remain undetected. It takes a healthcare organization an average of 84 days to identify a breach after the fact, and 68 days to disclose the breach, the report found. The thing is, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 specifies that organizations need to issue notifications within 60 days.
A recent Ponemon Institute report on data breaches in the health care sector found that 54 percent of healthcare organizations participating in the survey had little to no confidence in their ability to detect all data loss or theft.
HITRUST noted an "alarmingly high number" of breaches where less than 500 individuals were affected. As of May 2012, there were over 57,000 such incidents, but details were not available from HHS, HITRUST said in the report.
"While the good news is that reportable breaches do not appear to be becoming any more pervasive, the bad news is that the industry's progress appears to be slow," the report said.
The report found that hacking and malware infections were responsible for just 8 percent of the breaches. Theft, loss, and unauthorized access remained the most common types of data breaches. Malicious insiders were responsible for 25 percent of breaches, accounting for 14 percent of compromised records. Laptops remained the most common source of compromised records, with the number of breaches involving laptops in 2012 projected to be similar to 2010 figures, the report said.
"The biggest issue in this industry continues to be stolen devices, with laptops the clear target, and with independent physician practices and specialty clinics suffering from the biggest losses," the report found.
Breaches of paper records remain significant, even in "this age of electronic information," HITRUST said. Since 2009, paper records comprised 24 percent of healthcare breaches, second only to laptops, but accounted for only 4 percent of total compromised records. Paper breach incidents include errors in mailing and improper disposal of records.
"In too many instances, boxes and binders of records are left unattended and disappear, employees take records home that are subsequently stolen or go missing, and information is discarded in trash cans and recycling bins without first being shredded," the report found.
Small physical practices, with less than 100 employees, generally don't have a formal IT department to adequate information security resources to handle various cyber-threats, including criminals trying to steal valuable patient data to sell on the black market.
“Larger practices with greater resources appear to be recognizing the problematic threats resulting in breaches, and many seem to be taking actions to prevent future breaches,” the report said.
With increased adoption of electronic health records technology among hospitals, many physician practices are increasingly accessing the records from larger institutions. If the practices don't have anti-malware software installed, have insecure or no firewalls, or share passwords across users, then the interconnected hospitals are now exposed to the same risks, the report found.
“By conducting and publicizing this analysis, we believe that over time we can facilitate a fundamental shift in the healthcare industry toward achieving a state of security and privacy that is on par with other leading industries,” said Nutkis.
Related Reading: Just Because Your Business is Compliant Doesn't Mean It's Secure