ePHI breach trends should focus security preparedness

Tuesday, June 28, 2016

Earlier this month, Indianapolis police investigated a tip that private medical records had been dumped into a public park dumpster in the Broad Ripple area. The Indiana Attorney General is reviewing this apparent breach and working to assist impacted individuals, while the rest of us are wondering about the safety of our own private, patient health information.

Stories like the dumped records as well as the Anthem breach last year in which hackers obtained the records of more than 78 million patients has somewhat overshadowed what is really going on in the world of healthcare-related data breaches. The Anthem breach would make it seem as though the adoption of electronic health record (EHR) systems and electronic documentation systems has significantly increased the number of data breaches suffered by healthcare organizations, but the numbers point to a different trend.

Chart 1: Number of BreachesSince the passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, healthcare organizations covered by HIPAA that experience a breach of 500 or more patients must report it. There have been 1,591 of these reports impacting approximately 158,983,397 total patients, with the number climbing steadily each year.

Who has to report a breach? The list includes four kinds of HIPAA-covered organizations: 1) Healthcare Providers, 2) Health Plans, 3) Business Associates, and 4) Healthcare Clearing Houses. As for how the breaches occur, the main reasons include hacking; improper disposal of data; loss or theft of data; and unauthorized access. It’s important to note that HHS differentiates between hacking and loss/theft by describing hacking as electronic compromise or break-in of systems, and loss/theft as data that has been lost or stolen (e.g., loss of a laptop, theft a thumb drive, theft of a briefcase with paper records, theft of x-ray films, etc.).

Healthcare Providers are most commonly breached (70% of breaches) followed by Business Associates (17% of breaches). Healthcare Clearing Houses are the least frequently breached, having reported just 4 breaches in seven years, and Health Plan organizations such as Anthem account for only 12% of the reported breaches. So if you ignore the Anthem hacker breach, loss/theft of data is, and always has been, the top cause of breaches, accounting for almost half of all breached electronic patient health information (ePHI) as shown in Chart #2 and #3. 

Chart 2: Cause of BreachesChart 3: Cause of Breaches (minus Anthem)


What hospital IT staff need to embrace is the fact that much of this loss/theft is totally preventable and can be reduced by the right policies and procedures, such as: 

  1. creating an Inventory of your PHI & ePHI;
  2. performing a risk analysis;
  3. developing data security strategies for both paper and electronic PHI;
  4. creating an incident response plan and test it at least annually; and
  5. providing IT and data security awareness training to all staff who interact with or have access to PHI

Purdue Healthcare Advisors can help with any or all of the above.  Contact me for more information. 

George Bailey, MS, CISSP, GCIH, CHP, is an information technology security professional with more than 17 years of experience in network security, remote access, wireless security and incident response. Bailey serves as Senior Advisor – Security Services at Purdue Healthcare Advisors, where he oversees and implements security solutions for the healthcare industry. He has presented at many security-related conferences and is routinely published in academic journals. Bailey holds a Certified Information Systems Security Professional (CISSP) credential and is pursuing his doctorate at Purdue University.

Writer: George Bailey, 765-494-7538, baileyga@purdue.edu

Tags: Health IT Security

Purdue University, West Lafayette, IN 47907 (765) 496-1911

© 2014 Purdue University | An equal access/equal opportunity university | Copyright Complaints

If you have trouble accessing this page because of a disability, please contact Purdue Technical Assistance Program taphelp@purdue.edu.