There have been a total of 804 large breaches of protected health information affecting more than 29.2 million patients since HITECH came out in 2009.
The findings of a new report from Redspin, Inc., show many healthcare organizations have been struggling to comply with HIPAA. The sheer number of large personal health information breaches in 2013 — the year saw a 138 percent increase — is perhaps all the evidence needed to back up that assertion.
How can you keep your organization from being one of the casualties of these HIPAA breaches?
[See also: 4-year long HIPAA breach uncovered.]
“At the end of the day, your ultimate goal is to get your employees to believe that patient health information is part of their responsibility, their civic duty, so to speak,” says Daniel Berger, president and CEO of Redspin in a recent interview. “They need to look beyond, ‘here’s our policy,’ to adopting a personal stake in keeping patients records secure."
You can dictate policies all you want, but employees will use their BYODs as they see fit, often not telling you if they download patients' personal health information on their own devices to take home. Usually it’s for a good purpose. They want to do a good thing and get caught up on their work, for example. Then they run into trouble, when their laptop gets stolen or lost.
[See also: 42K get HIPAA breach letters.]
"You’ve got to get employee buy-in; simple as that," Berger says of a breach-prevention culture. IT security is complicated, made even more so by the dynamic nature of technology and the ever challenging threat landscape. There is no silver bullet. It may be best to think of IT security as a chronic illness, a condition that requires ongoing treatment, testing, and re-evaluations. With security, the goal is not an outright cure but a lessening of symptoms, a lowering of risk, according to Berger.
This year's Redspin report also includes these other tips:
1. Conduct an annual HIPAA security risk analysis
This is your annual exam. Periodic risk analysis is a requirement of the HIPAA Security Rule anyway so you might as well plan it in advance and budget for it. When you consider all of the changes that take place year-over-year such as new system deployments, IT infrastructure enhancements, organizational restructuring, and employee turnover, it is certain that new vulnerabilities have arisen at the same time. At Redspin, we are fond of saying that while security assessments have a shelf life, they also have an expiration date.
Do not be fooled into thinking that a HIPAA security risk analysis need not be technical. It is not possible to assess security risk without identifying real vulnerabilities and developing a remediation plan to address them. That is like a physical exam without blood work!
2. Inoculate yourself by encrypting data-at-rest
Insist on encryption of data on all portable devices. This is our fourth annual Breach Report and encrypting laptops and other portable devices has been our top recommendation every year. From 2009 to present, the loss or theft of unencrypted portable devices have made up over a third of all large breach incidents and impacted over 50 percent of all health records put at risk.
We recognize that there are still significant hurdles to encryption – complex, often clumsy technology, budgetary constraints, and user-training needs. Employees resist it but extending the analogy; people resist needles too. As painful as it may be, it will not compare with the pain of a major breach incident due to a lost device chock full of PHI. The costs of forensics, reparations, attorney’s fees, an OCR investigation / civil penalty, potential class action lawsuits, and negative publicity can easily run into millions of dollars.