Share this article on:
In accordance with HITECH, the Health and Human Services Office for Civil Rights has submitted its annual reports to congress detailing the Breaches of Unsecured Protected Health Information it was notified of during 2011/2012. The report shows that 98% of victims of PHI data breaches involving over 500 individuals have come from 1% of recorded breaches. The large scale data breaches caused by these security lapses and targeted attacks are affecting millions of Americans. The total count of victims has now risen to 32 million and the total number of recorded HIPAA data breaches is about to reach the 100 mark.
The report highlighted the state of HIPAA compliance and clearly showed that healthcare organizations are failing to take the required actions to protect patient data and keep PHI private and confidential. Over the course of the past 12 months there have been record fines issued for security breaches and violations of HIPAA procedures and HHS Chief Regional Civil Rights Counsel Jerome Meites has predicted “a huge spike in the fines from violations” over the coming months. In his eyes, the high number of compliance failures already seen is nothing compared to what is to come.
While Meites was giving a personal view – and not the view of the HHS – the volume of investigations currently being conducted into HIPAA violations and data breaches is growing fast and it is reasonable to expect the number of financial penalties the HHS issues to increase accordingly.
The value of PHI makes healthcare organizations – and their business associates – targets for cybercriminals and holes in IT systems are being exploited with increasing frequency. The report states that theft was the cause of the biggest data breaches in 2011, while a year later in 2012 cybersecurity attacks and other IT issues caused the greatest exposure of patient data.
Reducing the Risk of PHI Loss
The HHS notified congress of the steps that individuals and healthcare organizations should take to improve cybersecurity and prevent breaches. These include:
Conducting Regular Risk Analyses and Implementing Risk Management Strategies
Organizations should conduct a thorough analysis of security vulnerabilities and risks and devise and action a management plan to address the issues raised. Procedures and policies should be reviewed and revised regularly as legislation changes.
Conducting a Security Evaluation
Hardware, software, website and procedural updates require a security evaluation to be performed to identify potential compliance issues and security risks. Evaluations should be performed periodically and also after procedural updates and the introduction of new software, hardware and any new technology.
The Control and Security of Portable Electronic Devices
Theft and loss of portable electronic devices accounts for a large proportion of security breaches. Appropriate security controls should be implemented to ensure the loss of a device does not involve loss of data. Data should be encrypted wherever possible and files and device access should be password-protected.
Secure Disposal of Records
All paper and data records containing PHI must be disposed of securely and procedures and policies must be implemented by healthcare organizations and their business associates to ensure PHI is destroyed in all of its forms.
Staff and workstations must have security controls in place to ensure that PHI is kept secure and cannot be accessed by unauthorized individuals. Individual access should also be carefully considered and access restricted to essential information.
It is essential that the staff is made aware of the organization’s procedures and policies on the use and disclosure of PHI. Training should be continuous and the staff informed of new legislation and any changes to company data storage or transit procedures and policies.
Business Associate Agreements
Agreements with business associates must be revised and updated to include provisions for the use of PHI.
If healthcare organizations concentrate on each of these issues it will improve cybersecurity and reduce the probability of a data breach.