Healthcare breaches were among the most high-profile of data leakage incidents last year, but a new study in the US found that the damage is actually lessening year-over-year.
The year 2012 saw a 21.5% increase in the number of large breaches vs. 2011, but an encouraging 77% decrease in the number of patient records affected.
This reflects recent numbers from the Open Security Foundation, which found that the number of global data breaches across all verticals reached 2,644 last year, more than doubling the number of incidents in 2011. Despite the rise in frequency though, they accounted for the exposure of 267 million records – a significant improvement over the 412 million records exposed in 2011.
According to the Redspin Breach Report 2012, 67% of all breaches in the US healthcare vertical were the result of theft or loss, with hacking contributing to just 6% of incidents, both in number of breaches and number of individuals affected. A full 38% of incidents stemmed from an unencrypted laptop or other portable electronic device – and this suggests a serious issue when it comes to internal best practices for data protection.
Redspin cautions that when the new HIPAA omnibus rule is factored into the equation, organizations could have much more exposure when it comes to breach consequences. That rule widens the scope of regulation to include business associates.
Redspin said that historically, breaches at business associates have impacted five times as many patient records as those at a covered entity. In 2012, more than half (57%) of all patient records breached involved a business associate.
«We recommend hospitals conduct a specific portfolio risk analysis as it relates to the dozens or even hundreds of vendors, contractors and consultants they work with», – Redspin noted.
Healthcare organizations can implement some safeguards against breaches going forward, Redspin said. For one, conduct a HIPAA Security Risk Analysis. Then, implement a regular process for ongoing vulnerability scanning and remediation, and integrate those reports into IT security risk assessments. And, of course, insist on encryption of data on all portable devices. Lost or theft of unencrypted portable devices has made up over a third of all large breaches to date. It would also behoove organizations to conduct regular, frequent and engaging security awareness training for all employees.
The stakes remain high, despite patient records exposure declining in 2012.
«In recent years, IT security has risen to the level of enterprise risk in many industries, – Redspin said in the report. – Data breaches can cause significant financial harm, reputational damage, and loss of consumer confidence. In healthcare, that risk is not limited to an individual hospital or business associate. It is an industry-wide threat to the continued adoption of electronic health records – the foundation for improving cost efficiency, care delivery and patient outcomes within the US healthcare industry».
Comment by Senior Analyst at InfoWatch Nikolai Fedotov:: «It should be clear that the patient records are a hot commodity on the black market in the U.S. There could be variety of fraud because there is only insurance medicine in this country. It`s starting from a simple medical treatment for others, and to organizing a virtual clinic with fake doctors and sham patients. Insurance companies just do not have the ability to check all occasions of medical care. They are limited to a comparison of the personal data of patients and doctors, but even not always. Neither the patients nor the doctors are interested in preventing fraud because they don`t lose money. And it seems that insurance companies not need it very much. The result is a struggle with the consequences, but no one is going to change the very system of accounting, which stimulates the manipulation of personal data».
