According to the Health Information Trust Alliance’s (HITRUST) analysis of U.S. healthcare data breaches from 2009 to the present, the healthcare industry has made little progress in reducing the number of breaches with troubling statistics seen from the same types of organizations, breaches and locations.
The retrospective analysis of breaches affecting 500 or more individuals indicates a slight decline in the total number of breaches during the past three years, but overall the industry’s susceptibility to certain types of breaches has been largely unchanged since breach data became available from the U.S. Department of Health and Human Services and the new HIPAA and HITECH Act regulations went into effect.
HITRUST periodically analyzes the breach data from HHS and other sources and makes it freely available to the industry to inform organizations of trends and continuing security and privacy risks, and to direct modifications to HITRUST programs and requirements.
“By conducting and publicizing this analysis, we believe that over time we can facilitate a fundamental shift in the healthcare industry toward achieving a state of security and privacy that is on par with other leading industries,” said Daniel Nutkis, chief executive officer, HITRUST. “While the data itself is not terribly surprising, it does serve as a critical reminder of the education and improvement that still needs to occur across the industry, regardless of organization type and size. I believe this is why HITRUST continues to see increasing adoption numbers for the HITRUST Common Security Framework (CSF) and participation in the CSF Assurance Program, especially from organizations that have made the commitment to train their security and privacy professionals so that they have the necessary knowledge and skills.”
A close look at the HHS data reveals that since 2009 the industry has experienced 495 breaches involving 21 million records at an estimated cost of $4 billion. With the annual number of total breaches remaining fairly consistent, hospitals and health systems is one of the few groups that can claim some improvements in protecting health information with the largest decline in reported breaches. This group experienced a decline of 71 percent from 2010 to 2011 in the number of breaches, and for the first two quarters of 2012 has only experienced 14 breaches (compared with a total of 48 for 2011). Health plans have also seen a steady decline in breaches since 2009 and have not had to post since the first quarter of 2012.
“We are seeing healthcare providers adopting the HITRUST CSF at a greater rate than other segments, which could be attributed to escalating pressures faced by this industry segment relating to the protection of health information,” said Nutkis. “This group is also leveraging guidance from the CSF Assurance Program that focuses on the high risks for healthcare such as unencrypted devices in support of their meaningful use attestations.”
In addition, HITRUST believes that Stage 1 meaningful use may have incentivized and/or raised awareness for the need for security, particularly in the most likely areas of laptops, desktops and mobile media. However, the data indicates that physician practices, which should be similarly motivated by meaningful use incentives, have continued to demonstrate a lack of progress. This is especially true of smaller physician practices where those with one-to-100 employees account for over 60 percent of the breaches reported in the segment. The analysis indicates that organizations such as these likely lack the awareness and resources in order to adequately recognize the issues and take actions to preempt future breaches. As the interconnectivity of organizations increases through community health records and health information exchanges, small practices may pose a new and significant risk to larger entities that have begun to get a handle on security and privacy.
HITRUST believes that in order for there to be a significant decline in the total number of breaches, the industry must find a way to reach physician practices and provide them with simple cost-effective solutions to their biggest challenges. A step in the right direction would be to provide these smaller organizations – and the industry as a whole – with education tailored to security in healthcare in conjunction with more automated and sophisticated methods to identify and correct risks. This enables small organizations to more easily acquire the necessary skills supplemented by technology so they too can be successful. The HITRUST report provides recommendations for physician practices needing to proactively address their security initiatives.
Surprisingly, reported hacking and malware infections remain low, accounting for a total of eight percent of the breaches. “Data we receive from other sources strongly indicates that U.S. healthcare organizations of all types are experiencing data loss due to viruses, attacks by cyber criminals, password sharing by clinicians, and the prevalence of vulnerabilities in electronic health record (EHR) technologies that are not communicated,” said Nutkis.
HITRUST recently launched the Cyber Threat Analysis Service (CTAS) in partnership with iSIGHT Partners to identify and analyze cyber threats to the U.S. healthcare industry. The CTAS has published more than a half-dozen reports of healthcare data being exploited in underground message boards by cybercriminals from the U.S., Russia and China that cannot be linked back to the reported breaches from HHS. In addition, the service has found that malware is present on approximately 30 percent of endpoint devices in smaller healthcare organizations.
A November 2012 report from the CTAS highlights this new dynamic in the cause for breaches with the observation that a database containing personally identifiable information (PII) and protected health information (PHI) was advertised for purchase on a prominent cybercrime forum.
HITRUST’s own assessment data suggests many breaches may go unreported or undiscovered. Nutkis continued, “because of the gap between the breach data and other sources, we believe the breaches being reported are not all inclusive. While we do not have a sense of the exact magnitude, given the cyber threats that healthcare and other industries face, we believe it must continue to be taken seriously.”
The HITRUST analysis also identified other areas of concern for the industry:
- Even in this electronic age, breaches of paper records remain significant among the leading segments (providers, payers, government) with errors in mailing and disposal of records playing a substantial role in some of the highest profile paper-based breaches. Since 2009, paper records comprise 24 percent of healthcare breaches, second only to laptops.
- Business associates continue to account for a significant number of breaches (21 percent) and are implicated in a majority of the records breached to-date (58 percent). This continues to be a problem across all organization types, with physician practices struggling the most.
- The average time to notify individuals and HHS following a breach is 68 days, with over 50 percent of organizations failing to notify within the 60 day deadline set by HITECH.
The results of HITRUST’s analysis of breach data are influencing updates to the 2013 version of the HITRUST CSF – available in January 2013 – and modifications to the CSF Assurance Program. The program is being updated to align with Stage 1 and 2 meaningful use requirements, and provide adequate coverage for high risks, including endpoint security, third party assurance, and continued requirements for secure disposal. HITRUST is developing and will be releasing detailed illustrative procedures alongside the 2013 updates to provide standardized, industry-approved audit and assessment guidance to HITRUST CSF Assessors, covered entities and business associates.
The HITRUST report – “A Look Back: U.S. Healthcare Data Breach Trends” – is publically available for download at HITRUSTalliance.net/breachreport along with an infographic of the analysis. The report includes in-depth analysis of the breach data and provides recommendations for addressing issues relating to security for endpoint devices, mobile media, paper records, business associates and physician practices.