Written by Simon Kang and Daniel Chung

Despite the fact that the Health Insurance Portability and Accountability Act (HIPAA) has been implemented since 1996, a lot of data breaches have still occurred in the healthcare industry. According to web site of HHS.org, there have been 1,083 occurrences of unsecured protected health information data breach affecting 500 or more from July 2009 to July 2014. The number of affected individuals from those breaches has reached to over 33Million in that time frame.

Redspin’s 2013 Breach Report shows that theft was the largest cause of Protected Healthcare Information (PHI) related breaches by an overwhelming margin. Stolen devices made up over 45% of incidents reported and impacted 83.2% of the patient records that were breached, as shown below.

Cause of Breach # of breaches % of total breaches # of records % of total records
Theft 90 45.2% 5,905,595 83.2%
Other 26 13.1% 320,314 4.5%
Unauthorized Access 44 22.1% 313,353 4.4%
Improper Disposal 8 4.0% 288,167 4.1%
Loss 19 9.5% 150,282 2.1%
Hacking IT Incidents 12 6.0% 118,394 1.7%
Total 199 100% 7,906,105 100%

(source: Breach Report 2013: Protected Health Information(PHI), www.redspin.com)

In Ponemon Institute’s Fourth Annual Benchmark Study on Patient Privacy & Data Security in 2014, 49% of respondents answered that lost or stolen computing device was the largest cause of PHI breaches in 2014. Respondents were allowed to make more than one choice and the other categories were as follows: unintentional employee action (46%), third-party snafu (41%), criminal attack (40%), technical systems glitch (32%), malicious insider (12%), and intentional non-malicious employee action(8%).

As shown by the two studies, lost or stolen computing devices are the biggest threat for PHI. To exacerbate the situation, personal mobile devices such as laptops, tablets, and smartphones have been widely allowed for work use. Employees are also able to freely access confidential data in cloud storage systems using the internet and while, it may be more convenient and save on paying for devices, it also means that a lot of confidential data is now stored in personal mobile devices or laptops, which can be gathered from the cloud, and then mobilized.

Even though employees are being allowed a lot of freedom with using confidential data on many different platforms, many believe that employees are actually one of the largest data security risks. According to SANS October 2013 Inaugural Health Care Survey, 65% of respondents identified the risk posed of negligent insiders as their biggest concern and 39% of them said that mobile devices and media as their 4th biggest concern. Though this result looks different from the previous two surveys, it is apparent that mobile devices along with negligent workers could be the biggest threat to the data security.

These studies show that the device, the user, and the data should be careful managed and protected in order to prevent breach. Data breaches can be significantly reduced by using technology such as encryption, regulating user access rights, and managing devices can allow for a safer environment. In order to have full protection of data, the right technology and regulations must be implemented and data should be protected throughout its entire life cycle so that it can be protected at every stage of its existence.

Blogs relating to HIPAA
Ways to Prevent HIPAA Data Breach by Insiders
Insiders: the Most Frequent Reason for HIPAA Data Breach
The Costs of Data Breaches and Violation against HIPAA
The Three Safeguards of the HIPAA Security Rule Summarized