Just do it. No pain, no gain. Pay me now or pay me later.
“We understand it can be painful to implement and enforce encryption but it’s less painful than a large breach costing millions of dollars.”
Ouch, that hurts.
Summary article by Susan D. Hall in FierceHealthIT.
Emphasis in red added by me.
Brian Wood, VP Marketing
PHI breaches up 138% in 2013
More than 7 million patient records were breached last year, an increase of 138 percent from 2012, according to a report from IT security audit firm Redspin.
The report analyzes breaches reported to the U.S. Department of Health & Human Services and identifies trends and highlights areas most in need of improvement.
A single incident–the theft of four desktop computers from Downers Grove, Ill.-based Advocate Medical Group–exposed more than 4 million records. Stolen devices also accounted for the second- and third-largest breaches; all three involved unencrypted data. For the past three years, Redspin has cited unencrypted data on mobile devices as one of the highest risks to personal health information (PHI).
There has been a sense that by requiring security assessments to qualify for Meaningful Use incentives and by bolstering enforcement, the government was driving real progress in protecting PHI, Daniel W. Berger, Redspin’s president and CEO, says in an announcement. He adds that the numbers, though, “caught a lot of people by surprise.”
Yet, “many HIPAA security risk assessments only graze the surface,” he says. “It is essential that your scope be both broad and deep. The goal is not simply to complete a compliance checklist; it is about safeguarding PHI. That takes organization commitment and investment. Vigilance must be institutionalized.”
The HHS’ “wall of shame” saw a lot of action in January–more than 70 health data breach incidents affecting more than 500 people were added. The HHS site lists 804 breaches that affected 29.3 million people since September 2009.
Meanwhile, 82 percent of health IT executives in a recent survey said their technology infrastructure is “not fully prepared for a disaster recovery incident.” Nearly one in five (19 percent) global healthcare organizations experienced a security breach in the last 12 months at a cost of $810,189 per incident, according to results of the MeriTalk survey.
Redspin Reports on the “State of Healthcare IT Security”
The migration from paper-based files to electronic health records (EHR) is well underway. According to industry sources, the number of hospitals that have adopted EHR systems has tripled in the past 3 years. Nearly all health providers have registered for the Federal government’s “Meaningful Use” program – established per the 2009 HITECH Act – which provides monetary incentives based on the adoption, implementation rate, and security of electronic health records.
Yet Redspin reports that nearly 30 million Americans have had their personal health information breached or inadvertently disclosed since 2009. In 2013 alone, 199 incidents of breaches of PHI were reported to HHS impacting over 7 million patient records, a 138% increase over 2012.
“I think the 138% increase in patient records breached caught a lot of people by surprise,” said Daniel W. Berger, Redspin’s President and CEO. “There was a sense that the government’s ‘carrot and stick’ approach – requiring HIPAA security assessments to qualify for meaningful use incentives and increasing OCR enforcement initiatives – was driving real progress.”
“IT security is a complex task,” continues Berger. “Many HIPAA security risk assessments only graze the surface. It is essential that your scope be both broad and deep. The goal is not simply to complete a compliance checklist; it is about safeguarding PHI. That takes organization commitment and investment. Vigilance must be institutionalized.”
In 2013, a single incident – the theft of four desktop computers from an office at Advocate Medical Group – may have exposed over 4 million records alone. The second and third largest breaches were also caused by theft. In each case, unencrypted laptops containing hundreds of thousands of records were stolen. For the past 3 years, Redspin has cited the lack of encryption on portable devices as one of the highest risks to PHI. “It’s only going to get worse given the surge in the use of personally-owned mobile devices at work,” adds Berger. “We understand it can be painful to implement and enforce encryption but it’s less painful than a large breach costing millions of dollars.”
A copy of the full Redspin report can be downloaded here: http://www.redspin.com/