redspin phi breach report 2012
DESCRIPTION
TRANSCRIPT
© Redspin, Inc. Page 1
Breach Report 2012
Protected Health Information
February 2013
© Redspin, Inc. Page 2
Table of Contents
3……………………Executive Summary
4……………………By the Numbers
5……………………Discussion of Results
12………….……….Conclusion and Recommendations
Appendix:
16………….…….….HIPAA Omnibus Rule Highlights
Figures and Tables:
Table 1
Top 5 PHI Breaches, 2012
p.5
Table 2
Total Large PHI Breaches, Records Impacted, 2010-2012
p.7
Table 3
Total Large PHI Breaches/Records Impacted Involving Business Associates, 2010-12
p.9
Table 4
PHI Data Breach By Source/ Device
p.11
© Redspin, Inc. Page 3
Executive Summary
A total of 538 large breaches of protected health information (PHI)
affecting over 21.4 million patient records1 have been reported to
the Secretary of Health and Human Services (HHS) since the
August 2009 interim final breach notification rule was issued as a
part of the Health Information Technology for Economic and
Clinical Health (HITECH) Act.
To prepare for our 3rd annual Breach Report / Protected Health Information, we spent
weeks reviewing the complete statistical data set of breaches reported to HHS since
2009. Based on our analysis, we’ve prepared an objective assessment of the overall
effectiveness of the policies and controls that have been put in place to safeguard
protected health information. By identifying significant trends and drawing attention to
specific areas in need of improvement, we hope to help the healthcare industry improve
its ability to protect patient information. That is our goal. To that end, we’ve included
Redspin’s recommendations for preventive measures and corrective action to address
the most critical weaknesses.
1 These numbers include breaches that affected >500 individuals and were reported to HHS
from August 2009 to January 17, 2013. Those that impacted less than 500 are also reported to
the HHS on an annual basis but the specifics are not made publicly available.
© Redspin, Inc. Page 4
By the Numbers
538 breaches of protected health information (PHI)
21,408,505 patient health records affected
21.5% increase in # of large breaches in 2012 over 2011
but… a 77% decrease in # of patient records impacted
67% of all breaches have been the result of theft or loss
57% of all patient records breached involved a business
associate
5X historically, breaches at business associates have
impacted 5 times as many patient records as those at a
covered entity
38% of incidents were as a result of an unencrypted laptop or
other portable electronic device
63.9% percent of total records breached in 2012 resulted from
the 5 largest incidents
780,000 number of records breached in the single largest incident
of 2012
© Redspin, Inc. Page 5
Discussion of Results
In recent years, IT security has risen to the level of enterprise risk in many industries.
Data breaches can cause significant financial harm, reputational damage, and loss of
consumer confidence. In healthcare, that risk is not limited to an individual hospital or
business associate. It is an industry-wide threat to the continued adoption of electronic
health records – the foundation for improving cost efficiency, care delivery, and patient
outcomes within the U.S. healthcare industry.
Quite a Handful. 146 breaches of protected health information affecting 2,413,397
individuals were reported to HHS in 2012. The top 5 incidents were particularly
egregious, contributing nearly two-thirds of the total number of patient records exposed
during the entire year. In striking contrast from previous years, there was little similarity
in the root causes among this year’s “top 5” breaches. From a malicious hack, to lost
back-up disks, to an email containing hundreds of thousands of patient records, these
incidents highlight the breadth and complexity of the IT security challenge facing
healthcare providers today.
Table 1: Top 5 PHI Breaches, 2012
COVERED ENTITY
INDIVIDUALS
AFFECTED
TYPE OF BREACH LOCATION OF BREACHED
INFORMATION
Utah Department of Health 780,000
Hacking/IT Incident Network Server
Emory Healthcare 315,000 Unknown Backup Disks
South Carolina Department of Health and Human Services 228,435
Unauthorized Access/Disclosure Email
Alere Home Monitoring, Inc. 116,506 Theft Laptop
Memorial Healthcare System 102,153 Theft
Electronic Medical Record
© Redspin, Inc. Page 6
The hacking incident at the Utah Department of Health is of particular concern. Given
the richness of the personal data that PHI contains, hackers are often mentioned as a
potential threat to PHI. Yet, from 2009 to date, hacking has contributed to roughly 6%
of data breaches, both in number of incidents and number of individuals affected. Many
people have been surprised at this low incident rate, perhaps to the point of
complacency. Others speculate that a significant number of smaller “hacks” have gone
undetected. But the magnitude of the Eastern European-based attack on the State of
Utah should end any complacency. The hackers exposed claims data for 780,000
Medicaid and Children’s’ Health Plan recipients. As a result, the State IT Director was
fired. Recently, a new Utah Senate bill was put forth requiring that its Department of IT
Services assemble a team of experts to ensure that security “best practices” are
followed. The proposed law also includes a requirement for an audit of the department
every two years.
In Redspin’s opinion, hacker attacks are likely to increase in frequency over the next
few years. Personal health records are high value targets for cybercriminals as they can
be exploited for identify theft, insurance fraud, stolen prescriptions, and dangerous
hoaxes. We expect that the low incidence rate of hacking during the past few years was
the calm before the storm. It is crucial for healthcare providers to “up their game” when
it comes to security defenses. The proposed Utah state law cites best practices but is
short on specifics. We’d recommend every health provider conduct an annual IT
security risk analysis and implement even more frequent penetration testing and
vulnerability assessments.
Some Signs of Improvement. In 2012, the incidents of large PHI breaches increased
by nearly 21%. However, it’s not all bad news. The corresponding total number of
patient records impacted dropped dramatically – a whopping 77% decrease year over
year. While 146 breaches affecting over 2.4 million people might not sound like
success, it is a significant improvement.
© Redspin, Inc. Page 7
Table 2: Total Large PHI Breaches and Records Impacted, 2010-2012
PHI Breaches Affecting > 500 Individuals 2010 2011 2012
Total # of Incidents Reported 258 121 146
Total # of Patient Records Impacted 8,313,517
10,684,591
2,413,397
We believe the privacy and security safeguards envisioned in the HITECH Act,
implemented and enforced by HHS, CMS and OCR, and recently codified in the HIPAA
Omnibus Rule are having a positive impact. Consider the number of covered entities
that conducted a HIPAA Security Risk Analysis in the latter half of 2011 and throughout
2012. Redspin alone helped nearly 100 hospitals meet the security risk analysis
requirement of Meaningful Use Core Measure14.
During the same time period, OCR began to wield its enforcement authority, publicly
announcing several high profile investigations that resulted in breach resolution
agreements. Financial penalties have been assessed per the increased levels under
the interim Breach Rule. OCR also launched its HIPAA Audit Program and, although
they audited only about 100 covered entities, the possibility that any covered entity
could be on their future audit list, brought the program home to all. As one hospital CIO
said to us: “We’d rather have OCR come in and do their audit after Redspin has helped
us conduct a security risk analysis, so they can see we haven’t been standing still.”
Indeed, the requirement to conduct periodic security risk analysis has been a Federal
regulation since the effective date of the HIPAA Security Rule in 2005. Standing still is
no longer an option. The HITECH Act, Meaningful Use, and now the HIPAA Omnibus
Rule, have all brought the issue of IT security into sharper focus.
As we move toward realizing the full promise of electronic health record (EHR)
technology, the need for IT security in healthcare has never been so great. When the
authors of the HIPAA security rule recommended periodic security risk analysis, the
pace of change in healthcare network infrastructure, applications, devices and workflow
might have only warranted periodic check-ups. In addition, the threat landscape was
© Redspin, Inc. Page 8
much different then. The highest risk to healthcare records was loss from fire or water
damage. Even the highest concentrations of paper files stored in archived facilities did
not approximate the amount of PHI that could today reside on a single thumb drive.
Today’s challenges call for a new ways of thinking about traditional HIPAA risk
assessments. IT security is a process not a project. A successful security program is a
repetitive cycle of thorough testing, reports of findings, remediation, and retesting. For
some aspects of an IT security program, such as policies and procedures, an annual
review will be sufficient. But to protect against new or arising threats, monthly or
quarterly vulnerability scanning, threat management, and remediation will be needed.
A successful security program must also involve employees and business partners. All
employees need to be engaged in building a culture of security – a process of internal
training, daily reminders, and visual workplace cues. Lastly, the responsibility of PHI
security now extends outside the organization. While the Omnibus rule extends
compliance with HIPAA security provisions and direct civil liability for breach to business
associates and their vendors, covered entities still retain their obligation to ensure that
its business associates are safeguarding PHI effectively.
Omnibus Arrives – Just in Time?
As mentioned above, both covered entities and business associates (BAs) now stand
more or less on equal footing (at least from the regulatory standpoint) regarding their
responsibility to safeguard PHI from breach. Over the past few years (or perhaps even
from the beginning of time), this is an area that has suffered from “woeful neglect,” so to
speak. As we have said publicly, "Hospitals clearly need greater visibility and control
over how their business partners protect the privacy and security of confidential patient
data.”
The statistics do indeed bear this out. Since late 2009, 57% of all patient records
involved in large-scale PHI breaches have involved a business associate. In raw
numbers, that’s 12,110,729 individuals!
© Redspin, Inc. Page 9
Table 3: Total Large PHI Breaches/Records Impacted Involving Business Associates, 2010-12
Incidents
Involving
BA
Total
Breach
Incidents
%
Involving
BA
Records
Impacted by
BA Incident
All Records
Impacted by
Breaches
%
Involving
BA
2010 51 258 19.8% 4,136,397 8,313,517 49.8%
2011 31 121 25.6% 7,078,890 10,684,591 66.2%
2012 22 146 15,1% 895,442 2,413,397 37.0%
104 525 19.8% 12,110,729 21,411,505 56.6%
It was against this backdrop that the long-awaited HIPAA Omnibus Rule was publicly
announced and published in the Federal Register on January 25, 2013 with an effective
date of March 26, 2013 and a compliance date of September 23, 2013.
Although promoted as “the most sweeping changes to the HIPAA Privacy and Security
Rules since they were first implemented,” much of the Omnibus Rule is similar to interim
regulations published in 2010-2011 as authorized under the 2009 HITECH Act.
However, the extension of the responsibility for safeguarding PHI to business
associates and their subcontractors is indeed a sea change. Not only must BAs now
comply with the HIPAA Security Rules just like their covered entity partners but they can
also be held directly and civilly liable for PHI breach.
This is a good (albeit late) start but the next steps are even more vitally important.
Compliance regulations lose steam over time unless they are aggressively enforced.
OCR, though well-intentioned, has a long way to go before they can be in a position to
audit any business associates. At best, we’ll continue to see some high profile business
associate breach penalties announced in the press. Such negative PR is attention-
grabbing but fleeting – it too wanes over time unless there is a consistent driver for
maintaining compliance and improving security.
© Redspin, Inc. Page 10
So where will improvements in this critical area come from, if at all? Redspin believes
that true collaboration between covered entities, business associates, vendors, law
firms, and expert security firms will be essential to building a truly secure “chain of PHI
custody” with consistent safeguards at every point. Like most challenges to improve the
common good, covered entities and BAs should accept joint responsibility and
accountability as they are both vested in the same positive outcome.
Easy for us to say! But we are not just talk. Redspin has put together a Business
Associate Risk Assessment service, including a methodology that helps hospitals
evaluate the internal controls of their business associates while building a risk model to
determine overall exposure. It serves to initiate a mutually-beneficial exercise as
hospitals and BAs can then openly discuss process improvements using a common
framework and with the shared goal of protecting PHI.
Going Mobile
In last year’s report, we noted that 39% of all PHI breaches had occurred on a laptop or
other portable device, the easiest type of device for thieves to steal or employees to
lose. That trend continued in 2012 (37.7% of total) and we continue to fear the situation
is going to get worse before it gets better. What was unusual just 18 months ago in
healthcare organizations is now routine. Smartphones, iPads, and other BYOD
computing devices now enter the healthcare workplace daily – and go home at night.
Forrester Research reports that 37% of information workers are using BYOD at work
before policies are even in place.
CMS has included a specific call-to-action in Stage 2 meaningful use that reemphasizes
the “addressable” requirement in the HIPAA Security Rule governing the encryption of
data-at-rest. Why not make this mandatory – at least on portable devices? Stricter
policies and more encryption are clearly called for. We suspect the “wiggle room” in the
HIPAA Security Rule was kept it tact by CMS, rather than risk that a stricter encryption
requirement would delay the pace of Stage 2 attestation.
© Redspin, Inc. Page 11
BYOD just makes it worse. With BYOD, the users need to have more say in the matter.
Owning the devices creates both a legal and psychological differences regarding usage.
Employers and employees must work towards truly mutually acceptable policies or
there is a risk, employees will just do what they want. No one has found the ideal
solution yet. With Redspin’s mobile device security assessments, we offer a
methodology that enables IT management to have increased engagement with their
healthcare workers and get their buy-in, while deploying simpler encryption methods
and offering more security awareness training. We think this approach has the best
chance of success but ultimately, it will be the future breach statistics that tell the tale.
Table 4: PHI Data Breach by Source / Device
Pre-2012 2012
Laptop and other portable device 151 39.2% 55 37.7%
Paper 92 23.9% 31 21.2%
Computer 56 14.5% 20 13.7%
Server 38 9.9% 15 10.3%
Other 18 4.7% 18 12.3%
Email 7 2% 4 2.7%
Electronic Health Record 6 1.6% 2 1.4%
X-Ray 5 1.3% 0 0
Back-up Tapes 4 1% 1 0.6%
Hard Drives 3 0.8% 0 0
Mail, Postcards 3 0.8% 0 0
CD 2 0.5% 0 0
Total 385 100% 146 100%
Another area to keep a close watch on is unauthorized access. The 3rd largest breach
in 2012 occurred at the South Carolina Department of Health and Human Services
when an employee (now ex-employee) emailed himself 228,000 patient records.
Malicious hackers are not the only group to realize the value of a stolen health record
© Redspin, Inc. Page 12
when used for illegal purpose – it may be your own employees. Incidents of insider
threat are on the rise and can only be prevented by a comprehensive security program
– not a once a year risk assessment but an integrated program of policies, controls,
technical safeguards, organizational accountability, enforcement, training, and
leadership.
Conclusions and Recommendations
Four years ago, the Health Information Technology Economic and Clinical Health
(HITECH) Act was signed into law to promote the adoption and meaningful use of
health information technology. Subtitle D of the HITECH Act addressed the privacy and
security concerns associated with the electronic transmission of health information
through several provisions that strengthened the civil and criminal enforcement of the
HIPAA rules.
Those provisions have been put into effect through a series of interim rules and
enforcement actions, ultimately culminating with the recent publication in the Federal
Register of the HIPAA Omnibus Rule. While reserving comment on the piecemeal
implementation of privacy and security rules, the 4 year anniversary of HITECH seems
a good time to assess how well those provisions have been working. Most importantly,
with the Omnibus Rule now in place, let’s look at the most significant security
challenges that lay ahead.
While the authors of the HITECH Act foresaw the need to strengthen HIPAA privacy
and security as an essential and concomitant element of achieving meaningful use of
health information technology, they clearly underestimated the complexity of the task.
The breach tally speaks for itself – 538 large-scale PHI breaches impacting over 21
million patients, and an additional estimated 60,000 smaller breaches affecting millions
more, reported to HHS since the Fall of 2009.
So what went wrong? First, IT security is complicated because today’s technology world
is incredibly dynamic, the number of endpoints too great. Such hyper-connectedness
can lead to a single change creating a multiplicity of new vulnerabilities, oversights, or
mistakes. IT security can’t simply be legislated or completely enforced. Policies and
© Redspin, Inc. Page 13
enforcement play an important role, but like good parenting, they don’t guarantee
results.
In HITECH, the Interim Breach Rule, and the Omnibus Rule, much of the focus was put
on breach reporting, and indeed, that reporting is an essential part of patient/consumer
protection. Patients have a right to know if their confidential health information has been
inappropriately disclosed or exposed. But such notifications are, after all, after the fact
Patients also have the a priori right to trust that their health information is being
appropriately safeguarded. This is why Redspin tells our clients: “Sure we’ll help you
meet or maintain HIPAA compliance or attest to Meaningful Use but our real goal is to
help you safeguard PHI from data breach.”
Since the accelerated deployment of IT in healthcare began, we’ve stressed that
security is a foundational element for its successful implementation and adoption.
Legislation, programs, policies, or controls that are intended to drive improvements in
security must first recognize that effective security is about lowering risk. The aim is not
to find and fix all vulnerabilities or eradicate every threat. The goal is to reduce the
likelihood of occurrence and limit the potential damages of breach.
Looking backward is only useful to the extent it can help better inform our future
direction. Starting back in 2009-2010, the healthcare industry was asked to change.
Hospitals and other eligible providers were offered huge financial incentives to do so.
EHR systems were deployed; providers were encouraged to show “meaningful use” of
those systems quickly. Conducting a HIPAA security risk analysis was required under
the EHR incentive program – and many interpreted this requirement as pertaining just
to the EHR and systems directly connected to the EHR.
The problem is that once electronic health records were born, they were bound to find
their way onto other devices, into other applications, and even transmitted to other
places. The proliferation of portable devices and media within all IT environments that
store PHI increase the likelihood of breach exponentially. How many providers included
their internal applications in their last HIPAA Security Risk Analysis? How many security
assessments of business associates were included in the covered entity’s HIPAA Risk
© Redspin, Inc. Page 14
Analysis? Most BAs were not prepared for the responsibility they assume simply by
being in possession of PHI – and still aren’t.
And what about healthcare workers? Few healthcare employees outside of IT could tell
you what their corporate IT security policies are, much less how those actually pertain to
their email, laptop, or personal iPhone. Would the average healthcare employee know
how to encrypt “data-at-rest.” Was the level of IT security awareness of employees who
had access to PHI considered in a HIPAA Security Risk Analysis?
These are tall tasks, underestimated four years ago and urgently needed now. We want
to help drive the changes necessary in healthcare IT security so that PHI breaches are
a rare exception, rather than a once a week news story. In the beginning of this report,
we promised recommendations and here they are. Remember we advocate that your
mindset be about lowering risk. Focus on reducing the likelihood of PHI breach
occurrence and limit the potential damages of those breaches.
First, conduct a HIPAA Security Risk Analysis. It is just the starting point… but get
started! Redspin preaches that security assessments are not projects but rather part of
a continuous process of durable improvements. As such, we believe HSRAs should be
conducted on annual or at least bi-annual basis. While a comprehensive security
assessment has a shelf life, you’ll be far more secure if you also assume there is an
expiration date.
Second, implement a regular process for an ongoing vulnerability scanning and
remediation, and integrate those reports into your IT security risk assessments. Don’t
wait for the HSRA cycle to come around again before doing the vulnerability scanning –
use a monthly or quarterly schedule so that you can compare results and see what
you’ve fixed, what you haven’t, and what new vulnerabilities may have arisen. If you
don’t have the resources to do this yourself, Redspin has an automated service that can
do it for you.
© Redspin, Inc. Page 15
Third, insist on encryption of data on all portable devices. Just do it! Lost or theft of
unencrypted portable devices has made up over a third of all large breaches to date.
We recognize that there are still significant hurdles – clumsy technology, budgetary
constraints, and user-training needs. As painful as they may be, they don’t compare
with the pain of a major breach incident due to a lost device chock full of PHI. The costs
of forensics, reparations, attorney’s fees, an OCR investigation/civil penalty, potential
class action lawsuits, and negative publicity can easily run into millions and millions of
dollars.
Fourth, business associates have accounted for 57% of all patient records breached
since we started the tally.. We recommend hospitals conduct a specific ”portfolio” risk
analysis as it relates to the dozens or even hundreds of vendors, contractors, and
consultants they work with. Ultimately, the hospital has every right to insist that their
partners conduct regular, third-party security assessments as a requirement of doing
business together. Covered entities and business associates need to work together to
fix this problem.
Last but not least, conduct regular, frequent and engaging security awareness training
for all employees. This requirement has been included in every breach resolution
agreement negotiated between OCR and an offending covered entity. All employees
should understand not just the policies and procedures per se but also why those
provisions are in place – given what’s at stake. Situational training is a must – test
people in what they would do in specific situations. Implement hotlines, place posters on
walls, screensaver reminders, and monthly tips. Every dollar spent on educating your
employees on privacy and security awareness is an investment in your organizations
future success.
© Redspin, Inc. Page 16
Appendix: HIPAA Omnibus Rule Highlights: Business
Associates, Civil Penalties, Breach Notification
On January 17, 2013, the U.S Department of Health and Human Services (HHS) released its
final Omnibus Rule which implemented the increased HIPAA privacy and security provisions of
the HITECH Act (2009) and the Genetic Information Nondiscrimination Act of 2008 (GINA). The
rule was published in the Federal Register on January 25, 2013 with an effective date of March
26, 2013. Compliance for both Covered Entities and Business Associates is required by
September 23, 2013 (180 days from the effective date).
The three provisions of the Omnibus Rule that are most relevant to this paper are the
expansions of the privacy and security rules with regard to Business Associates, the increase in
penalties for non-compliance, a new standard for determining whether there has been a breach
of protected health information (PHI).
Expansion of Privacy and Security Rules with regard to Business Associates
The Omnibus Rule extended and expanded the definition of business associates. The term
business associate now applies equally to a subcontractor of a business associate, and that
subcontractor must comply with parts of the regulations in their own right. In addition, the
business associate definition was expanded to include health information organizations, e-
prescribing gateways, and other entities that provide data transmission services that require
access to PHI on a routine basis, and entities that offer a personal health record product.
All business associates are now required to implement HIPAA-compliance initiatives and
measures.
Increase in Penalties for Non-Compliance
The Omnibus Rule employs the civil monetary penalty structure in the HITECH Act, wherein
higher or lower penalties are assessed based of levels of culpability. Note that these civil
penalties apply to covered entities and now to business associates equally (as per above).
The penalties are structured into the following tiers:
- If the covered entity or business associate did not know and could not have known about
the violation, the penalty is between $100 - $50,000 per incident
- If the covered entity or business associate acted with “reasonable cause” (the CE or BA knew or would have known through reasonable due diligence that an act or omission would violate the rules, but did not act with “willful neglect,”) the penalty is $1,000 -$50,000 per incident
- If the CE or BA acted with willful neglect but instituted successful corrective measures within 30 days, the penalty is $10,000 - $50,000 per incident
- If the CE or BA acted with willful neglect and did not institute successful corrective measures within 30 days, then the penalty is $50,000 per incident
- All levels include an aggregate annual cap of $1.5 million for violations of identical provisions
© Redspin, Inc. Page 17
New Standard for Determining Whether a PHI Breach Requires Notification
Previously, the determination of whether a PHI breach would require notification was based on
the so-called “harm standard,” – an assessment of the risk that said breach would cause
financial, reputational, or other harm to an individual. The Omnibus Rule does away with the
harm standard and instead states that a breach be presumed to require notification unless it can
be determined through risk assessment that there is a low probability that PHI has been
compromised by the unauthorized use or disclosure. HHS comments that it expects the risk
assessments to be thorough, conducted in good faith, documented, and that its conclusions
should be reasonable.
The exact language is contained in paragraph (2) of 45 C.F.R. § 164.402
Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
i. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
ii. The unauthorized person who used the protected health information or to whom the disclosure was made;
iii. Whether the protected health information was actually acquired or viewed; and iv. The extent to which the risk to the protected health information has been mitigated.
.