Keeping Data Secure: Lessons Learned from Healthcare Breach Trends
Healthcare organizations should look to laptops, mobile devices, and their business associate agreements, among other things, to avoid the risk of a breach of healthcare data, according to a recent report by the Health Information Trust Alliance (HITRUST), “A Look Back: US Healthcare Data Breach Trends.”
HITRUST performed an analysis of US healthcare data breaches affecting 500 or more individuals. The data is available because the Health Information Technology for Economic and Clinical Health Act put breach notification requirements into law in 2009.
The report found that the industry has improved slightly since breach reporting became mandatory in September 2009, but there are still unsettling spikes in the number of breaches. “While it is good news that reportable breaches do not appear to be becoming any more pervasive, the bad news is that the industry’s progress appears to be slow,” the report says.
HITRUST projected that of the types of breaches most often experienced, theft was the most likely cause. The industry continues to see high numbers of breaches involving laptops, the report said, with independent physician practices and specialty clinics suffering from the biggest losses related to stolen devices.
Organizations of all types continue to wrestle with breaches related to business associates (BAs), with slightly more than 30 percent of all breaches implicating a BA, HITRUST said.
HITRUST offered recommendations to healthcare organizations to mitigate their risk of breaches, including:
- Inventory the endpoint devices that employees use, and develop policies to limit the use of employees’ own personal devices unless explicitly authorized.
- Ensure that e-mail on personal devices is limited in functionality and, on mobile phones and tablets, encrypted.
- Encrypt every device that can be easily carried. Ensure non-mobile endpoints like network servers are physically secured.
- Restrict the use of unencrypted mobile media—including USB devices, CDs, and DVDs—and encrypt tapes and other media used to back up data.
- Ensure organizations have a defined process to track, store, and transport records to maintain necessary levels of security of paper records. Ensure employees are aware of proper handling procedures. Establish locked restricted areas for paper record storage and make secure disposal easy.
- Develop programs to manage third parties and embed security evaluations along the way. Classify each BA based on the likelihood of a breach and focus on the high-risk ones. Enforce the “minimum necessary” rule by limiting BA access only to the data and systems required to conduct business.