Redspin PHI Breach Report 2012


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Redspin PHI Breach Report 2012

  1. 1. Breach Report 2012 Protected Health Information February 2013© Redspin, Inc. Page 1
  2. 2. Table of Contents3……………………Executive Summary4……………………By the Numbers5……………………Discussion of Results12………….……….Conclusion and RecommendationsAppendix:16………….…….….HIPAA Omnibus Rule HighlightsFigures and Tables:Table 1 Top 5 PHI Breaches, 2012 p.5Table 2 Total Large PHI Breaches, Records Impacted, 2010-2012 p.7Table 3 Total Large PHI Breaches/Records Impacted Involving Business p.9 Associates, 2010-12Table 4 PHI Data Breach By Source/ Device p.11© Redspin, Inc. Page 2
  3. 3. Executive SummaryA total of 538 large breaches of protected health information (PHI)affecting over 21.4 million patient records1 have been reported tothe Secretary of Health and Human Services (HHS) since theAugust 2009 interim final breach notification rule was issued as apart of the Health Information Technology for Economic andClinical Health (HITECH) Act.To prepare for our 3rd annual Breach Report / Protected Health Information, we spentweeks reviewing the complete statistical data set of breaches reported to HHS since2009. Based on our analysis, we’ve prepared an objective assessment of the overalleffectiveness of the policies and controls that have been put in place to safeguardprotected health information. By identifying significant trends and drawing attention tospecific areas in need of improvement, we hope to help the healthcare industry improveits ability to protect patient information. That is our goal. To that end, we’ve includedRedspin’s recommendations for preventive measures and corrective action to addressthe most critical weaknesses.1 These numbers include breaches that affected >500 individuals and were reported to HHSfrom August 2009 to January 17, 2013. Those that impacted less than 500 are also reported tothe HHS on an annual basis but the specifics are not made publicly available.© Redspin, Inc. Page 3
  4. 4. By the Numbers538 breaches of protected health information (PHI)21,408,505 patient health records affected21.5% increase in # of large breaches in 2012 over 2011 but… a 77% decrease in # of patient records impacted67% of all breaches have been the result of theft or loss57% of all patient records breached involved a business associate5X historically, breaches at business associates have impacted 5 times as many patient records as those at a covered entity38% of incidents were as a result of an unencrypted laptop or other portable electronic device63.9% percent of total records breached in 2012 resulted from the 5 largest incidents780,000 number of records breached in the single largest incident of 2012© Redspin, Inc. Page 4
  5. 5. Discussion of ResultsIn recent years, IT security has risen to the level of enterprise risk in many industries.Data breaches can cause significant financial harm, reputational damage, and loss ofconsumer confidence. In healthcare, that risk is not limited to an individual hospital orbusiness associate. It is an industry-wide threat to the continued adoption of electronichealth records – the foundation for improving cost efficiency, care delivery, and patientoutcomes within the U.S. healthcare industry.Quite a Handful. 146 breaches of protected health information affecting 2,413,397individuals were reported to HHS in 2012. The top 5 incidents were particularlyegregious, contributing nearly two-thirds of the total number of patient records exposedduring the entire year. In striking contrast from previous years, there was little similarityin the root causes among this year’s “top 5” breaches. From a malicious hack, to lostback-up disks, to an email containing hundreds of thousands of patient records, theseincidents highlight the breadth and complexity of the IT security challenge facinghealthcare providers today.Table 1: Top 5 PHI Breaches, 2012 INDIVIDUALS TYPE OF BREACH LOCATION OF BREACHED COVERED ENTITY AFFECTED INFORMATION Hacking/ITUtah Department of Health 780,000 Incident Network ServerEmory Healthcare 315,000 Unknown Backup DisksSouth Carolina Department of UnauthorizedHealth and Human Services 228,435 Access/Disclosure EmailAlere Home Monitoring, Inc. 116,506 Theft Laptop Electronic MedicalMemorial Healthcare System 102,153 Theft Record© Redspin, Inc. Page 5
  6. 6. The hacking incident at the Utah Department of Health is of particular concern. Giventhe richness of the personal data that PHI contains, hackers are often mentioned as apotential threat to PHI. Yet, from 2009 to date, hacking has contributed to roughly 6%of data breaches, both in number of incidents and number of individuals affected. Manypeople have been surprised at this low incident rate, perhaps to the point ofcomplacency. Others speculate that a significant number of smaller “hacks” have goneundetected. But the magnitude of the Eastern European-based attack on the State ofUtah should end any complacency. The hackers exposed claims data for 780,000Medicaid and Children’s’ Health Plan recipients. As a result, the State IT Director wasfired. Recently, a new Utah Senate bill was put forth requiring that its Department of ITServices assemble a team of experts to ensure that security “best practices” arefollowed. The proposed law also includes a requirement for an audit of the departmentevery two years.In Redspin’s opinion, hacker attacks are likely to increase in frequency over the nextfew years. Personal health records are high value targets for cybercriminals as they canbe exploited for identify theft, insurance fraud, stolen prescriptions, and dangeroushoaxes. We expect that the low incidence rate of hacking during the past few years wasthe calm before the storm. It is crucial for healthcare providers to “up their game” whenit comes to security defenses. The proposed Utah state law cites best practices but isshort on specifics. We’d recommend every health provider conduct an annual ITsecurity risk analysis and implement even more frequent penetration testing andvulnerability assessments.Some Signs of Improvement. In 2012, the incidents of large PHI breaches increasedby nearly 21%. However, it’s not all bad news. The corresponding total number ofpatient records impacted dropped dramatically – a whopping 77% decrease year overyear. While 146 breaches affecting over 2.4 million people might not sound likesuccess, it is a significant improvement.© Redspin, Inc. Page 6
  7. 7. Table 2: Total Large PHI Breaches and Records Impacted, 2010-2012PHI Breaches Affecting > 500 Individuals 2010 2011 2012Total # of Incidents Reported 258 121 146Total # of Patient Records Impacted 8,313,517 10,684,591 2,413,397We believe the privacy and security safeguards envisioned in the HITECH Act,implemented and enforced by HHS, CMS and OCR, and recently codified in the HIPAAOmnibus Rule are having a positive impact. Consider the number of covered entitiesthat conducted a HIPAA Security Risk Analysis in the latter half of 2011 and throughout2012. Redspin alone helped nearly 100 hospitals meet the security risk analysisrequirement of Meaningful Use Core Measure14.During the same time period, OCR began to wield its enforcement authority, publiclyannouncing several high profile investigations that resulted in breach resolutionagreements. Financial penalties have been assessed per the increased levels underthe interim Breach Rule. OCR also launched its HIPAA Audit Program and, althoughthey audited only about 100 covered entities, the possibility that any covered entitycould be on their future audit list, brought the program home to all. As one hospital CIOsaid to us: “We’d rather have OCR come in and do their audit after Redspin has helpedus conduct a security risk analysis, so they can see we haven’t been standing still.”Indeed, the requirement to conduct periodic security risk analysis has been a Federalregulation since the effective date of the HIPAA Security Rule in 2005. Standing still isno longer an option. The HITECH Act, Meaningful Use, and now the HIPAA OmnibusRule, have all brought the issue of IT security into sharper focus.As we move toward realizing the full promise of electronic health record (EHR)technology, the need for IT security in healthcare has never been so great. When theauthors of the HIPAA security rule recommended periodic security risk analysis, thepace of change in healthcare network infrastructure, applications, devices and workflowmight have only warranted periodic check-ups. In addition, the threat landscape was© Redspin, Inc. Page 7
  8. 8. much different then. The highest risk to healthcare records was loss from fire or waterdamage. Even the highest concentrations of paper files stored in archived facilities didnot approximate the amount of PHI that could today reside on a single thumb drive.Today’s challenges call for a new ways of thinking about traditional HIPAA riskassessments. IT security is a process not a project. A successful security program is arepetitive cycle of thorough testing, reports of findings, remediation, and retesting. Forsome aspects of an IT security program, such as policies and procedures, an annualreview will be sufficient. But to protect against new or arising threats, monthly orquarterly vulnerability scanning, threat management, and remediation will be needed.A successful security program must also involve employees and business partners. Allemployees need to be engaged in building a culture of security – a process of internaltraining, daily reminders, and visual workplace cues. Lastly, the responsibility of PHIsecurity now extends outside the organization. While the Omnibus rule extendscompliance with HIPAA security provisions and direct civil liability for breach to businessassociates and their vendors, covered entities still retain their obligation to ensure thatits business associates are safeguarding PHI effectively.Omnibus Arrives – Just in Time?As mentioned above, both covered entities and business associates (BAs) now standmore or less on equal footing (at least from the regulatory standpoint) regarding theirresponsibility to safeguard PHI from breach. Over the past few years (or perhaps evenfrom the beginning of time), this is an area that has suffered from “woeful neglect,” so tospeak. As we have said publicly, "Hospitals clearly need greater visibility and controlover how their business partners protect the privacy and security of confidential patientdata.”The statistics do indeed bear this out. Since late 2009, 57% of all patient recordsinvolved in large-scale PHI breaches have involved a business associate. In rawnumbers, that’s 12,110,729 individuals!© Redspin, Inc. Page 8
  9. 9. Table 3: Total Large PHI Breaches/Records Impacted Involving Business Associates, 2010-12 Incidents Total % Records All Records % Involving Breach Involving Impacted by Impacted by Involving BA Incidents BA BA Incident Breaches BA2010 51 258 19.8% 4,136,397 8,313,517 49.8%2011 31 121 25.6% 7,078,890 10,684,591 66.2%2012 22 146 15,1% 895,442 2,413,397 37.0% 104 525 19.8% 12,110,729 21,411,505 56.6%It was against this backdrop that the long-awaited HIPAA Omnibus Rule was publiclyannounced and published in the Federal Register on January 25, 2013 with an effectivedate of March 26, 2013 and a compliance date of September 23, 2013.Although promoted as “the most sweeping changes to the HIPAA Privacy and SecurityRules since they were first implemented,” much of the Omnibus Rule is similar to interimregulations published in 2010-2011 as authorized under the 2009 HITECH Act.However, the extension of the responsibility for safeguarding PHI to businessassociates and their subcontractors is indeed a sea change. Not only must BAs nowcomply with the HIPAA Security Rules just like their covered entity partners but they canalso be held directly and civilly liable for PHI breach.This is a good (albeit late) start but the next steps are even more vitally important.Compliance regulations lose steam over time unless they are aggressively enforced.OCR, though well-intentioned, has a long way to go before they can be in a position toaudit any business associates. At best, we’ll continue to see some high profile businessassociate breach penalties announced in the press. Such negative PR is attention-grabbing but fleeting – it too wanes over time unless there is a consistent driver formaintaining compliance and improving security.© Redspin, Inc. Page 9
  10. 10. So where will improvements in this critical area come from, if at all? Redspin believesthat true collaboration between covered entities, business associates, vendors, lawfirms, and expert security firms will be essential to building a truly secure “chain of PHIcustody” with consistent safeguards at every point. Like most challenges to improve thecommon good, covered entities and BAs should accept joint responsibility andaccountability as they are both vested in the same positive outcome.Easy for us to say! But we are not just talk. Redspin has put together a BusinessAssociate Risk Assessment service, including a methodology that helps hospitalsevaluate the internal controls of their business associates while building a risk model todetermine overall exposure. It serves to initiate a mutually-beneficial exercise ashospitals and BAs can then openly discuss process improvements using a commonframework and with the shared goal of protecting PHI.Going MobileIn last year’s report, we noted that 39% of all PHI breaches had occurred on a laptop orother portable device, the easiest type of device for thieves to steal or employees tolose. That trend continued in 2012 (37.7% of total) and we continue to fear the situationis going to get worse before it gets better. What was unusual just 18 months ago inhealthcare organizations is now routine. Smartphones, iPads, and other BYODcomputing devices now enter the healthcare workplace daily – and go home at night.Forrester Research reports that 37% of information workers are using BYOD at workbefore policies are even in place.CMS has included a specific call-to-action in Stage 2 meaningful use that reemphasizesthe “addressable” requirement in the HIPAA Security Rule governing the encryption ofdata-at-rest. Why not make this mandatory – at least on portable devices? Stricterpolicies and more encryption are clearly called for. We suspect the “wiggle room” in theHIPAA Security Rule was kept it tact by CMS, rather than risk that a stricter encryptionrequirement would delay the pace of Stage 2 attestation.© Redspin, Inc. Page 10
  11. 11. BYOD just makes it worse. With BYOD, the users need to have more say in the matter.Owning the devices creates both a legal and psychological differences regarding usage.Employers and employees must work towards truly mutually acceptable policies orthere is a risk, employees will just do what they want. No one has found the idealsolution yet. With Redspin’s mobile device security assessments, we offer amethodology that enables IT management to have increased engagement with theirhealthcare workers and get their buy-in, while deploying simpler encryption methodsand offering more security awareness training. We think this approach has the bestchance of success but ultimately, it will be the future breach statistics that tell the tale.Table 4: PHI Data Breach by Source / Device Pre-2012 2012 Laptop and other portable device 151 39.2% 55 37.7% Paper 92 23.9% 31 21.2% Computer 56 14.5% 20 13.7% Server 38 9.9% 15 10.3% Other 18 4.7% 18 12.3% Email 7 2% 4 2.7% Electronic Health Record 6 1.6% 2 1.4% X-Ray 5 1.3% 0 0 Back-up Tapes 4 1% 1 0.6% Hard Drives 3 0.8% 0 0 Mail, Postcards 3 0.8% 0 0 CD 2 0.5% 0 0 Total 385 100% 146 100%Another area to keep a close watch on is unauthorized access. The 3rd largest breachin 2012 occurred at the South Carolina Department of Health and Human Serviceswhen an employee (now ex-employee) emailed himself 228,000 patient records.Malicious hackers are not the only group to realize the value of a stolen health record© Redspin, Inc. Page 11
  12. 12. when used for illegal purpose – it may be your own employees. Incidents of insiderthreat are on the rise and can only be prevented by a comprehensive security program– not a once a year risk assessment but an integrated program of policies, controls,technical safeguards, organizational accountability, enforcement, training, andleadership.Conclusions and RecommendationsFour years ago, the Health Information Technology Economic and Clinical Health(HITECH) Act was signed into law to promote the adoption and meaningful use ofhealth information technology. Subtitle D of the HITECH Act addressed the privacy andsecurity concerns associated with the electronic transmission of health informationthrough several provisions that strengthened the civil and criminal enforcement of theHIPAA rules.Those provisions have been put into effect through a series of interim rules andenforcement actions, ultimately culminating with the recent publication in the FederalRegister of the HIPAA Omnibus Rule. While reserving comment on the piecemealimplementation of privacy and security rules, the 4 year anniversary of HITECH seemsa good time to assess how well those provisions have been working. Most importantly,with the Omnibus Rule now in place, let’s look at the most significant securitychallenges that lay ahead.While the authors of the HITECH Act foresaw the need to strengthen HIPAA privacyand security as an essential and concomitant element of achieving meaningful use ofhealth information technology, they clearly underestimated the complexity of the task.The breach tally speaks for itself – 538 large-scale PHI breaches impacting over 21million patients, and an additional estimated 60,000 smaller breaches affecting millionsmore, reported to HHS since the Fall of 2009.So what went wrong? First, IT security is complicated because today’s technology worldis incredibly dynamic, the number of endpoints too great. Such hyper-connectednesscan lead to a single change creating a multiplicity of new vulnerabilities, oversights, ormistakes. IT security can’t simply be legislated or completely enforced. Policies and© Redspin, Inc. Page 12
  13. 13. enforcement play an important role, but like good parenting, they don’t guaranteeresults.In HITECH, the Interim Breach Rule, and the Omnibus Rule, much of the focus was puton breach reporting, and indeed, that reporting is an essential part of patient/consumerprotection. Patients have a right to know if their confidential health information has beeninappropriately disclosed or exposed. But such notifications are, after all, after the factPatients also have the a priori right to trust that their health information is beingappropriately safeguarded. This is why Redspin tells our clients: “Sure we’ll help youmeet or maintain HIPAA compliance or attest to Meaningful Use but our real goal is tohelp you safeguard PHI from data breach.”Since the accelerated deployment of IT in healthcare began, we’ve stressed thatsecurity is a foundational element for its successful implementation and adoption.Legislation, programs, policies, or controls that are intended to drive improvements insecurity must first recognize that effective security is about lowering risk. The aim is notto find and fix all vulnerabilities or eradicate every threat. The goal is to reduce thelikelihood of occurrence and limit the potential damages of breach.Looking backward is only useful to the extent it can help better inform our futuredirection. Starting back in 2009-2010, the healthcare industry was asked to change.Hospitals and other eligible providers were offered huge financial incentives to do so.EHR systems were deployed; providers were encouraged to show “meaningful use” ofthose systems quickly. Conducting a HIPAA security risk analysis was required underthe EHR incentive program – and many interpreted this requirement as pertaining justto the EHR and systems directly connected to the EHR.The problem is that once electronic health records were born, they were bound to findtheir way onto other devices, into other applications, and even transmitted to otherplaces. The proliferation of portable devices and media within all IT environments thatstore PHI increase the likelihood of breach exponentially. How many providers includedtheir internal applications in their last HIPAA Security Risk Analysis? How many securityassessments of business associates were included in the covered entity’s HIPAA Risk© Redspin, Inc. Page 13
  14. 14. Analysis? Most BAs were not prepared for the responsibility they assume simply bybeing in possession of PHI – and still aren’t.And what about healthcare workers? Few healthcare employees outside of IT could tellyou what their corporate IT security policies are, much less how those actually pertain totheir email, laptop, or personal iPhone. Would the average healthcare employee knowhow to encrypt “data-at-rest.” Was the level of IT security awareness of employees whohad access to PHI considered in a HIPAA Security Risk Analysis?These are tall tasks, underestimated four years ago and urgently needed now. We wantto help drive the changes necessary in healthcare IT security so that PHI breaches area rare exception, rather than a once a week news story. In the beginning of this report,we promised recommendations and here they are. Remember we advocate that yourmindset be about lowering risk. Focus on reducing the likelihood of PHI breachoccurrence and limit the potential damages of those breaches.First, conduct a HIPAA Security Risk Analysis. It is just the starting point… but getstarted! Redspin preaches that security assessments are not projects but rather part ofa continuous process of durable improvements. As such, we believe HSRAs should beconducted on annual or at least bi-annual basis. While a comprehensive securityassessment has a shelf life, you’ll be far more secure if you also assume there is anexpiration date.Second, implement a regular process for an ongoing vulnerability scanning andremediation, and integrate those reports into your IT security risk assessments. Don’twait for the HSRA cycle to come around again before doing the vulnerability scanning –use a monthly or quarterly schedule so that you can compare results and see whatyou’ve fixed, what you haven’t, and what new vulnerabilities may have arisen. If youdon’t have the resources to do this yourself, Redspin has an automated service that cando it for you.© Redspin, Inc. Page 14
  15. 15. Third, insist on encryption of data on all portable devices. Just do it! Lost or theft ofunencrypted portable devices has made up over a third of all large breaches to date.We recognize that there are still significant hurdles – clumsy technology, budgetaryconstraints, and user-training needs. As painful as they may be, they don’t comparewith the pain of a major breach incident due to a lost device chock full of PHI. The costsof forensics, reparations, attorney’s fees, an OCR investigation/civil penalty, potentialclass action lawsuits, and negative publicity can easily run into millions and millions ofdollars.Fourth, business associates have accounted for 57% of all patient records breachedsince we started the tally.. We recommend hospitals conduct a specific ”portfolio” riskanalysis as it relates to the dozens or even hundreds of vendors, contractors, andconsultants they work with. Ultimately, the hospital has every right to insist that theirpartners conduct regular, third-party security assessments as a requirement of doingbusiness together. Covered entities and business associates need to work together tofix this problem.Last but not least, conduct regular, frequent and engaging security awareness trainingfor all employees. This requirement has been included in every breach resolutionagreement negotiated between OCR and an offending covered entity. All employeesshould understand not just the policies and procedures per se but also why thoseprovisions are in place – given what’s at stake. Situational training is a must – testpeople in what they would do in specific situations. Implement hotlines, place posters onwalls, screensaver reminders, and monthly tips. Every dollar spent on educating youremployees on privacy and security awareness is an investment in your organizationsfuture success.© Redspin, Inc. Page 15
  16. 16. Appendix: HIPAA Omnibus Rule Highlights: BusinessAssociates, Civil Penalties, Breach NotificationOn January 17, 2013, the U.S Department of Health and Human Services (HHS) released itsfinal Omnibus Rule which implemented the increased HIPAA privacy and security provisions ofthe HITECH Act (2009) and the Genetic Information Nondiscrimination Act of 2008 (GINA). Therule was published in the Federal Register on January 25, 2013 with an effective date of March26, 2013. Compliance for both Covered Entities and Business Associates is required bySeptember 23, 2013 (180 days from the effective date).The three provisions of the Omnibus Rule that are most relevant to this paper are theexpansions of the privacy and security rules with regard to Business Associates, the increase inpenalties for non-compliance, a new standard for determining whether there has been a breachof protected health information (PHI).Expansion of Privacy and Security Rules with regard to Business AssociatesThe Omnibus Rule extended and expanded the definition of business associates. The termbusiness associate now applies equally to a subcontractor of a business associate, and thatsubcontractor must comply with parts of the regulations in their own right. In addition, thebusiness associate definition was expanded to include health information organizations, e-prescribing gateways, and other entities that provide data transmission services that requireaccess to PHI on a routine basis, and entities that offer a personal health record product.All business associates are now required to implement HIPAA-compliance initiatives andmeasures.Increase in Penalties for Non-ComplianceThe Omnibus Rule employs the civil monetary penalty structure in the HITECH Act, whereinhigher or lower penalties are assessed based of levels of culpability. Note that these civilpenalties apply to covered entities and now to business associates equally (as per above).The penalties are structured into the following tiers: - If the covered entity or business associate did not know and could not have known about the violation, the penalty is between $100 - $50,000 per incident - If the covered entity or business associate acted with “reasonable cause” (the CE or BA knew or would have known through reasonable due diligence that an act or omission would violate the rules, but did not act with “willful neglect,”) the penalty is $1,000 - $50,000 per incident - If the CE or BA acted with willful neglect but instituted successful corrective measures within 30 days, the penalty is $10,000 - $50,000 per incident - If the CE or BA acted with willful neglect and did not institute successful corrective measures within 30 days, then the penalty is $50,000 per incident - All levels include an aggregate annual cap of $1.5 million for violations of identical provisions© Redspin, Inc. Page 16
  17. 17. New Standard for Determining Whether a PHI Breach Requires NotificationPreviously, the determination of whether a PHI breach would require notification was based onthe so-called “harm standard,” – an assessment of the risk that said breach would causefinancial, reputational, or other harm to an individual. The Omnibus Rule does away with theharm standard and instead states that a breach be presumed to require notification unless it canbe determined through risk assessment that there is a low probability that PHI has beencompromised by the unauthorized use or disclosure. HHS comments that it expects the riskassessments to be thorough, conducted in good faith, documented, and that its conclusionsshould be reasonable.The exact language is contained in paragraph (2) of 45 C.F.R. § 164.402Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosureof protected health information in a manner not permitted under subpart E is presumed to be abreach unless the covered entity or business associate, as applicable, demonstrates that thereis a low probability that the protected health information has been compromised based on a riskassessment of at least the following factors: i. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; ii. The unauthorized person who used the protected health information or to whom the disclosure was made;iii. Whether the protected health information was actually acquired or viewed; andiv. The extent to which the risk to the protected health information has been mitigated..© Redspin, Inc. Page 17