According to the Breach Level Index website, there were 336 healthcare data breaches reported in the U.S. last year. The Office for Civil Rights portal on the HHS website (the infamous “Wall of Shame”) cited 165 breaches affecting 500 or more individuals in 2014.
Naturally, Clearwater monitors these breaches closely, especially the ones where we’ve been able to obtain (or reasonably infer) salient facts like type of asset involved, number of affected records, and so on. We were able to thoroughly document all aspects of 89 data breaches that occurred last year. Our 2014 wrap-up excludes the huge Community Health Systems cyber-attack in an effort to prevent the skewing of other data. Here are the major takeaways and action items we uncovered.
Non-Digital Breaches Remain An Issue
Paper data breaches accounted for 9 percent of compromised records in the first half of 2014 – and a surprising 31 percent in the second half. In total, nearly 200,000 paper records were compromised last year, along with nearly 60,000 pieces of individually identifiable health information ranging from lab specimens to radiology film.
Key Takeaway: Ensuring the confidentiality of non-digital forms of PHI is as important as ever.
Action Items: Organizations must develop, implement and enforce appropriate physical and administrative policies and procedures for safeguarding non-digital PHI.
Purloined Portables Still A Problem
We confirmed the loss or theft of 12 portable computing devices last year – and the lack of appropriate physical safeguards was a contributing factor in the majority of those incidents.
Key Takeway: These incidents can be significantly reduced with simple precautions and due diligence by employees entrusted with portable devices.
Action Items: Organizations should implement whole-disk encryption and other technical safeguards to render PHI unusable, unreadable or indecipherable to unauthorized individuals. Organizations need to strengthen their policies and procedures for portable device security – and enforce those rules through periodic compliance monitoring and sanctions. Workforce training in these matters should be thorough, not just a self-guided online tutorial.
Insider Mistakes And Malice Can Be Costly
In the 89 breaches we examined, there were 45 incidents involving insider actions that resulted in the compromise of more than 478,000 records. That means that about half of all the incidents we studied involved either mistakes or malice by an organization’s own employees and business associates.
Key Takeway: Despite an organization’s best efforts, it’s almost impossible to eliminate all workforce-related data breaches. But organizations can take steps to foster an atmosphere of compliance and prevention.
Action Items: Every organization needs to implement and monitor reasonable and appropriate administrative safeguards. Everyone in the organization needs to be actively engaged in self-monitoring and reporting potential incidents. All employees and business associates need to be aware of the organization’s sanctions policies – and those penalties need to be imposed quickly and consistently.
Some healthcare organizations are apt to congratulate themselves on getting through 2014 without a colossal data breach. But there are a host of other incidents – including paper breaches, misplaced x-rays, stolen laptops and employee snooping – that can still result in significant financial and reputational costs.
The main lesson from 2014 is that organizations need to continuously assess the maturity of their information risk management efforts – and to not view those initiatives as a narrow “HIPAA compliance” issue.