The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIMSS 2015: HIPAA Security: A Decade of Breaches

Posted By on Apr 14, 2015

Cybersecurity is a hot topic the Healthcare Information and Management Systems Society conference (HIMSS 2015) in Chicago this week. There are a number of scheduled presentations relating to data security and the Health Insurance Portability Act (HIPAA), which are aimed at compliance officers and IT professionals who are trying to navigate HIPAA regulations and get their organizations fully compliant.

On Monday 13, Marion Jenkins, Ph.D., FHIMSS, Chief Strategy Officer at 3t Systems, took a session entitled HIPAA Security: A Decade of Breaches in which he explained the current landscape and how the HIPAA Security Rule has changed over the past 10 years as well as covered entities (CEs) attitudes to the legislation.

In the presentations, Jenkins presented some examples of the real causes behind the data breaches and suggested a number of easy – and not-so-easy – remedies that healthcare providers and other CEs can implement to reduce the risk of them being affected.

Jenkins pointed out that in the past 6 years, there have been 1,189 reported breaches of HIPAA-classified data – PHI – with the number of reported incidents having increased by 50% in the past 12 months. To date, he said, 133 million patient records have been exposed in data breaches.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Jenkins said that the cost of breaches of HIPAA data can be astronomical, and used the examples of Sutter Health and SAIC; both of which have been cited in multibillion-dollar class action lawsuits.

Laptop Theft Dominates HIPAA Beach Reports

While hacking is attracting a lot of media attention, the majority of data breaches involve other disclosures of PHI. Jenkins pointed out that theft of devices was the most common cause of data breaches, accounting for 55%, while unauthorized access was at 19%, 12% as loss, and 14% unspecified.

He warned attendees that the loss and theft of laptop computers is the biggest problem, accounting for 25% of breaches and cited a habitual offender, Stanford Children’s Hospital, as it has repeatedly suffered breaches when physicians’ cars have been broken into and their laptops were stolen.

He offered an answer to a question many patients may have asked. What is their healthcare data is doing on a laptop left in a car park? The answer could be that in order to access medical records in a timely manner and be able to get on with the job of curing people, some physicians may attempt to shortcut the slow systems and download data onto their work laptops. A physician may do this for all of the records that he is required to access.

It was pointed out that healthcare providers, insurers, and other CEs may have been misled into believing they are HIPAA-compliant when they are not. Jenkins said claims of HIPAA-compliant EHRs and HIPAA-compliant cloud services may be taken to mean every aspect of HIPAA is covered by the provider. He said “There are two problems with that assertion; first, there is no such thing as a HIPAA-certified EHR. Second, the EHR isn’t the problem … it’s the user behavior when they’re pulling reports, pulling data out of the EHR, and then having a breach with that.”

HIPAA Regulations are Outdated

Jenkins also criticized HIPAA regulations as being outdated, and not being able to keep up with the pace of change in the healthcare industry. For instance, it was pointed out that there was no mention of “laptops” or “Smartphones” in the HIPAA regulations, and that the Security Rule does not even specify basic security measures, like not using “password” as a password or stating that access passwords should be changed frequently. Similarly, timeouts, logoff intervals, and Wi-Fi encryption is not sufficiently covered. He used the example of WEP encryption being HIPAA-compliant, even though it is hardly secure and is frequently breached.

Given the number of breaches, the targeted attacks, and the cost of security breaches to the industry, Jenkins believes that HIPAA regulations should be kept more up to date and healthcare organizations should do more to ensure they are fully compliant and have adopted the safeguards to protect PHI as required by current legislation covering Protected Health Information.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist