Here’s a prediction for you: 2013 will be the Year of the Healthcare Data Breach. Just like 2012, 2011, and 2010. Yeah, I’m not going out a limb on this one.
An impressive migration from paper to electronic health records (EHR) is well underway in the U.S., encouraged by billions in federal incentive payments for hospitals and private practices implementing EHR. One of the major features of the federal push is to ensure the privacy and security of records, through compliance with HIPAA Privacy and Security rules and the 2010 HITECH rules on reporting health care data breaches involving over 500 patients.
Since 2010, over 21 million health records have been breached in 495 recorded breaches, according to a study released in December by the Health Information Trust Alliance (HITRUST). The report and an accompanying infographic — and who doesn’t like infographics? — can be found here. Interestingly, 24% of the breaches involved paper records — but those accounted for only 4% of the total records breached. Electronic records may or may not be held more securely than paper, but it is a lot easier for large numbers of records to leak electronically than on paper.
The most likely ways that your medical information is likely to leak is via a laptop or mobile media (e.g., backup tape or portable hard drive or usb drive.) While only 16% of breaches involved mobile media, they accounted for 51% of the total records breached. About a quarter of the breaches involved laptop computers — usually stolen — accounting for 12% of the breached records.
The truly depressing thing about these statistics is that they reflect either carelessly or simply a lack of priority for keeping your medical information confidential. Consider that under the rules if a laptop’s hard drive or mobile media were encrypted, none of these would be considered a data breach. Laptop and mobile media encryption are readily available, and in many cases it just requires checking a box in a backup program or implementing free or low cost encryption one time on a laptop — this can be done before it’s even given to the computer user.
At the beginning of this month the Los Angeles Times published a story about a husband and wife who expanded their paper medical records labeling business to storing electronic records for Kaiser Permanente in California. About 300,000 hospital records ended up being stored on a hard drive sitting in the Dean’s home. In another incident involving the Deans, the Times reports:
The California Department of Public Health has already determined that Kaiser “failed to safeguard all patients’ medical records” at one Southern California hospital by giving files to Stephan and Liza Dean for about seven months without a contract. The couple’s document storage firm kept those patient records at a warehouse in Indio that they shared with another man’s party rental business and his Ford Mustang until 2010.
The story is worth noting not only because of its amazing details, but also because it shows that lax practices relating to health record security exist in the largest of health care institutions, too.
As far as 2013 is concerned, technology trends bode for things getting worse before they get better. The dramatic increase in mobile devices, especially tablets like the iPad, is creating demand to access your health records from consumer-oriented devices designed with much less emphasis on security than traditional laptops. The other big trend in mobile devices is BYOD — bring your own device — where individual clinicians and employees use their own devices rather than tablets or phones purchased and managed by the medical practice itself.
While many focus on the traditional idea of confidentiality with respect to health records, there are also other elements to be considered. In addition to confidential health information, health records include a variety of information — birth date, social security number, even credit card information — that make them a prime target for identity theft. This, along with potential for financial insurance fraud, easily creates a profit motive for stealing health record information.
Never less, the HITRUST report reinforces that lax practices are more likely than nefarious criminals to breach your information. Fully 50% of the reported breaches were accidental, only 13% were labeled intentional. Only 6% of breaches were due to hacking. Theft accounts for a lot of breaches, but my guess is that given the large numbers of laptops and mobile data storage devices involved, the majority of those likely were thieves after shiny new laptops and not health records per se (another reason why readily available encryption is so important.)
The federal government is aware of these trends and is beginning to ramp up its efforts a bit. On January 2, 2013 they announced a $50,000 fine for a north Idaho hospice, the first ever for a data breach involving fewer than the 500 record threshold included in HITECH. The Office of Civil Rights (OCR), charged with enforcement of HIPAA, has said recently that there will be more fines and audits in the future.
Still, there is a long way to go. The Washington Post, also published in December a year long investigative report with the headline, “Health-Care Sector Vulnerable to Hackers, Researchers Say.” The article exposed problems with health records software, lax security practices, vulnerable devices, and regulators unable to keep up with it all. There’s a lot of disturbing detail in the article, but it’s summed up pretty well here:
“I have never seen an industry with more gaping security holes,” said Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University. “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”
Reading through all this — and I could bore you with lots more examples — it certainly shows that healthcare has a lot of work to do. This is especially true when you realize that the next big “push” after electronic health records implementation will be implementation of secure Health Information Exchange (HIE). HIE’s benefits future benefits could include reducing duplicate lab tests when you go to a new doctor, making available vital information if you end up in an emergency room, and providing information to improve the efficiency and quality of health for communities. But as health information begins to routinely move across healthcare providers, the challenges of ensuring the security and confidentiality of health records will only increase.
So, maybe if we do start now, perhaps 2014 won’t be the year of the healthcare data breach, too. But it seems more likely that these incidents will take on the same routine ho-hum feeling that we’ve grown accustomed to in reading story after story, week after week, about millions of credit card records being leaked or hacked. It’s up to us each as healthcare consumers — and for those of us who are IT professionals — to make our voice heard and ensure that doesn’t happen.
[UPDATE]: On Thursday January 17th HHS issued a major update to the HIPAA and HITECH rules. You can read the announcement here and a pdf of the entire document is available here prior to its publication in the Federal Register next week.
The new rules are said to increase protection of health information and update the original HIPAA Privacy and Security Rules, as well as incorporating the later Genetic Information Nondiscrimination Act (GINA) and the HITECH rules.
Changes included in the new rules include:
- increased penalties for violations
- increased protection of genetic information
- specifying liability of business associates (contractors) for protecting information
- modifying rules for use of patient information for fund raising and marketing purposes
- patients paying cash can specify they do not want information shared with their health plan