Data breaches are unfortunately not uncommon in the healthcare industry. In the last three years, more than 500 breaches affecting 500 or more patient records have been reported to the Office for Civil Rights (OCR)within the U.S. Department of Health and Human Services. OCR estimates that close to 60,000 smaller breaches have occurred in the same timeframe.
Most data breaches begin with a moment of, "You're not going to believe what just happened," says Robert Belfort, a partner with Manatt, Phelps & Phillips LLP. It could be a CD with patient data that goes missing from a storage firm when the employee who signs for it suddenly resigns, or it could be a laptop taken from a car parked in an otherwise nondescript residential neighborhood.
Both incidents are real; the latter occurred in 2011 and involved the Massachusetts eHealth Collaborative (MAeHC), a small nonprofit that's nonetheless active in influencing national healthcare IT policy. Given the organization's role, "It was no small embarrassment to find out that we had make some critical mistakes," CEO Micky Tripathi says.
What to Do If You're a Victim of a Healthcare Data Breach
Once an incident is discovered, the first step is determining if a breach actually happened. That's no small task, Belfort says, as there are differences between data breaches and system vulnerabilities or violations of an organization's security policy. Vulnerabilities and violations should be noted, both for auditing purposes and to educate employees about data security, but they don't automatically constitute breaches.
Even if a breach has occurred, Belfort continues, there are two additional questions to consider: Did unauthorized or improper access to personal health information (PHI) occur, and if so, is there any risk to the organization? If an unencrypted laptop containing PHI was in a car that was stolen and subsequently dumped at the bottom of a lake, then the risk of anyone having seen that PHI is low, he says.Analysis: Healthcare Industry CIOs, CSOs Must Improve Security
The MAeHC incident was a data breach, Tripathi says. Neither the laptop nor the data was encrypted, and although the files were password-protected, it was determined that an "enlightened amateur" could access the data. Of the nearly 15,000 patient records on the laptop, 1,000 put patients at a significant risk of harm, he says, as they contained a patient's name and one of three other pieces of information: date of birth, Social Security number or reason for the appointment.
The next step was notifying those 1,000 patients. Here differing state and federal laws complicated matters. Federal law puts a HIPAA-covered entity at fault. In this case, that would have been the practices for which the MAeHC was a contractor. (The agency was studying error logs for electronic data submissions.) Under Massachusetts law, though, the MAeHC, as the entity that lost the data, was responsible. To avoid confusion, Tripathi says, the eight affected covered entities sent the letters (to meet federal law) but mentioned MAeHC in the first sentence (to cover the state law).
In the end, data breach mitigation cost MAHC about $289,000. More than half went to legal fees and the bulk of what was left went to pulling staff from other tasks to focus on breach mitigation. "Basically, you have to sweep everything aside and focus on this," Tripathi says.
A breach involving one specific covered entity had to be reported to the Office for Civil Rights, as it affected more than 500 patients. The OCR concluded that MAeHC was "in substantial compliance" with federal rules and did not fine the organization; the federal agency even went so far as to tell Tripathi that overlapping state and federal laws left the OCR unsure if it even had jurisdiction over the incident.
Lessons Learned: How to Prevent a Healthcare Data Breach
Tripathi decided to use the incident as an educational experience for others, as a lengthy post on the HIStalk Practice blog and subsequent interview with The New York Times suggest. "This kind of detail just doesn't get out there," he says.
It should. A recent analysis of healthcare data breaches by the Health Information Trust Alliance (HITRUST) finds that incidents such as the MAeHC breach—involving lost or stolen and unencrypted laptops—remain all too common in the healthcare industry despite new rules that dramatically increase fines for data breaches.
All told, theft and loss account for 66 percent of the breaches of 500 or more patient records, and 82 of the total records lost, that have occurred since September 2009, the HITRUST report notes. Small physician practices, which make up the vast majority of healthcare organizations in the United States, are particularly vulnerable, the report says: "This industry segment is struggling and requires significant assistance due to a lack of available expertise and resources."
In an interview, Christopher Hourihan, principal research analyst with HITRUST, says small practices should focus on the basics, including training, encryption, firewalls and antivirus software—the same technology that savvy users have on their home networks. "Don't try to do anything all at once," he says. "Focus on the critical areas first and expand the program that way."
Speaking at the Privacy Security Forum, Leon Rodriguez, director of the Office for Civil Rights, agrees that encryption technology is key to avoiding breaches. (Under 2009's HITECH Act, the loss of encrypted PHI, or of encrypted hardware that contains PHI, is not considered a data breach.) Training matters, too, he adds, as there is always "some human frailty" to a data breach that's unrelated to technological vulnerabilities.
HIPAA Business Associates, Hackers Need an Organization's Careful Attention
The HITRUST report notes that data breaches involving HIPAA business associates—which, as noted, HIPAA-covered entities are responsible for—have accounted for 21 percent of breaches in the last three years and 58 percent of the records lost. This points to a need for "proactive due diligence," Hourihan says. It's been a problem, and it will continue to be a problem, because businesses sign a contract and then don't do anything else."
To combat this issue, healthcare organizations should first ask for a business associate's most recent security audit and risk analysis and then work with the BA to fill the gaps that could result in a data breach. Since some providers have hundreds, if not thousands, of BAs, Hourihan suggests giving the most attention to electronic health record vendors, vendors that support critical business functions and other companies that interact with customer data.
Healthcare organizations also need to be aware of hackers. While hacks account for only 8 percent of reported data breaches, Hourihan thinks the actual number is higher, as HITRUST has seen PHI for sale on underground message boards that often can't be tied to a reported breach. With PHI worth up to 50 times more to hackers than credit card or Social Security numbers, Hourihan and HITRUST expect to see a "pretty significant rise" in hacks in years to come.
David Harlow, principal of The Harlow Group LLC, acknowledges that the industry "collectively need[s] to do a better job cracking down on those exploits."
Doing so requires a mix of technology, education and leadership. For Rodriquez, it's that final point that matters most—not just for preventing hacks but also for preventing data breaches and doing the sort of due diligence that MAeHC did in order to avoid an OCR fine. "It comes down to leadership owning compliance issues and doing so consistently. It's that leadership that makes all the difference," he says.