What OCR Breach Data Tells Us about Healthcare Information Security
September 29, 2016 | POSTED BY GEOFF WILSON IN COMPLIANCE, HIPAA
Is your healthcare information security program aligned with the current threat landscape?
I periodically review the DHHS Office of Civil Rights (OCR) Breach Portal Data to better understand the US healthcare threat landscape.
Here's what I found with the major breach cause categories:
The following trends jump out at me:
Hacking/IT Incident Is Surging
Healthcare needs to pay close attention to the Hacking/IT Incident threat category. Ransomware has received a ton of press this year, indicating a real threat to healthcare organizations. In fact, the OCR's recent ransomware fact sheet finally removes any doubt that a HIPAA breach occurs when ransomware encrypts ePHI.
Healthcare organizations must have a plan to prevent and to respond to these threats.
Effective preventative controls include removing administrator privileges from standard employees, patching commonly targeted applications (e.g. Java Runtime, Adobe Reader), and ensuring an updated antivirus client is installed on all systems (even servers).
To limit the impact of these incidents, healthcare organizations need to have well defined response processes, utilize intrusion detection technology, have solid backups, and periodically test their restoration procedures.
A HIPAA Risk Analysis will reveal additional controls that will further address this threat in your unique environment.
Theft-Related Breaches Are Rapidly Declining
In 2010, device theft was the clear leading cause of reported breaches. Since then, theft-related breaches have been on the decline. The occurrence of theft itself is not rapidly declining. Rather, the healthcare industry is learning to prevent unencrypted ePHI from being stored on theft-prone devices.
I work with many healthcare organizations who are severely restricting the ability to export and print data from their EHR. If the PHI can't be taken out of the secured facility, then it is less likely to be stolen.
Additionally, most healthcare organizations I work with now have a defined process in place to encrypt laptops and portable devices. If you can prove that the stolen device was properly encrypted, the organization may satisfy the Safe Harbor provision and avoid a HIPAA breach.
Unauthorized Access/Disclosure Is Still Leading
The most common cause of US healthcare breaches is Unauthorized Access/Disclosure.
The details of these breaches reveal the many cases where authorized individuals and Business Associates mishandled protected health information. Most cases are non-malicious and could have been prevented with awareness & training, third party risk assessments, and with improved data handling processes:
- In August 2016 Bon Secours Health System reported that one of their Business Associates, R-C Healthcare Management, had inadvertently exposed personal information of 650,000 Bon Secours patients to the Internet.
- In February 2016 Washington State Health Care Authority discovered that the PHI of 91,187 individuals was mishandled. Two employees exchanged spreadsheets containing ePHI without proper authorization.
- In June 2016 the University of New Mexico Hospital inadvertently mailed PHI to incorrect addresses due to an error in their billing systems.
Revisiting this reported data periodically is crucial because it gives us insight into the healthcare threat landscape. It is clear to me that in 2016, a risk-based healthcare security program will prioritize efforts to mitigate the Unauthorized Access/Disclosure threat, and will closely follow that with efforts to address the Hacking/IT Incident threat.
Is your security program aligned with the current threat landscape?
TRUE helps healthcare organizations develop risk-based security programs that are simple to follow yet flexible enough to address newly identified threats. If your name ever ends up on the OCR data breach portal, having an audit-ready program in place can be your saving grace, greatly reducing the penalties and keeping the auditors satisfied.