Share this article on:
The Protenus Breach Barometer healthcare data breach report for February includes some good news. Healthcare data breaches have not risen month on month, with both January and February seeing 31 data breaches reported.
The report offers some further good news. Healthcare hacking incidents fell in February, accounting for just 12% of the total number of breaches reported during the month. There was also a major fall in the number of healthcare records exposed or stolen. In January, 388,207 healthcare records were reported as being exposed or stolen. In February, the number fell to 206,151 – a 47% drop in exposed and stolen records. However, February was far from a good month for the healthcare industry.
IT security professionals have long been concerned about the threat from within, and last month clearly showed those fears are grounded in reality. February saw a major increase in the number of incidents caused by insiders. Insider breaches in February accounted for 58% of the total number of incidents reported for which the cause was known; double the number reported the previous month.
Insider wrong-doing was behind eight of the 18 incidents caused by insiders and nine were the result of errors by employees. One of the incidents could not be classified due to a lack of information about the exact nature of the breach.
Preventing insider breaches can be a major challenge for healthcare organizations, as can detecting breaches when they occur. Small to mid-sized organizations often do not have the resources to allow them to continuously monitor for the inappropriate accessing of healthcare records by employees. However, if continuous monitoring is not possible, covered entities must ensure that regular audits of access logs take place. Fast detection of improper access can greatly reduce the harm that those incidents cause. Regular reviews of access logs will also reduce the risk of a OCR HIPAA fine or settlement
HIPAA requires covered entities to maintain access logs and regularly check for inappropriate ePHI access, although the frequency of those checks and audits is left to the discretion of the covered entity. The frequency of audits should be dictated by the results of an organization’s risk analysis.
Last month showed that while some healthcare organizations are complying with 45 CFR § 164.308(a)(5)(ii)(C) – log-in monitoring – and 45 CFR § 164.312(b) – Audit controls – and are keeping logs, they are failing on Section 45 CFR § 164.308(a)(1)(ii)(D) by not regularly conducting information system activity reviews.
One incident reported in February involved an employee improperly accessing ePHI for more than five years (2,103 days) before the improper access was detected. HIPAA Rules may not stipulate how frequently access logs should be checked, but it would be difficult to argue that a check every five years constituted ‘regular’.
That was not the only long delay in detecting a breach. A second incident was also reported in February that took more than five years to detect (1,952 days). In that case the incident involved a system glitch that left ePHI exposed.
Overall, the breaches and security incidents reported in February took far longer to identify than those reported in January. It took an average of 478 days from the date the incident occurred to the date OCR was notified of the breach; that said, the average time was increased considerably by the two 5-year+ delays in detection. In January, the average time from the initial event to reporting was 174 days.
Breaches of electronic protected health information made up the bulk of incidents, although a third of incidents involved paper records, highlighting the importance of implementing physical controls to keep physical PHI secured.
While California usually tops the list for the number of incidents reported each month, this month Texas earned the title of the worst hit state with 4 reported breaches. California, Arizona, and New York shared second place with three incidents apiece.
Healthcare providers were the worst affected in February, accounting for 77% of the month’s incidents. Health plans reported 13% of breaches and business associates and vendors accounted for 3%. The remaining 3% were reported by other organizations.