What’s the Leading Cause of HIPAA Data Breaches? You May be Surprised

April 6, 2011

Consider that HIPAA security breaches are behavior-driven, not technology driven.

What is your biggest HIPAA Security threat? Is it some social misfit working in his mom’s basement (ala “Wolfman” in the movie, “Live Free or Die Hard”), or small armies of hackers working in Chechnya or Malaysia or Mumbai? No, it’s your business and/or clinical staff, going about their normal, day-to-day functions.

A recent report from the Health Information Trust Alliance (HITRUST) shows that the biggest cause of HIPAA data breaches is theft and loss of laptops and other portable media, not hackers. The perps are most likely not after the health data, they are after the devices themselves, and your staff unfortunately makes it relatively easy for them to gain access to the critical HIPAA data just came along for the ride.

HITRUST is a national consortium of healthcare professionals that focuses on healthcare data security. It reported HIPAA Security breaches from September 2009 to June of 2010, analyzing 108 reported breaches involving 3.6 million records, or EPHI (electronic protected health information). The breaches were categorized according to eight different “locations” (i.e., where the EPHI was stored). These included laptops, backup tapes, network server, desktop computers, etc. As another dimension, the report grouped the incidents into nine different “types” (i.e., how the data was lost/compromised) including theft, improper disposal, hacking/IT incident, misdirected email, etc. Combining these two categories, there are a total of 72 different combinations of location x type.

The most impactful conclusion, in this author’s opinion, is that this report shows that out of these 72 combinations, the number one cause of HIPAA breaches is theft of laptops (30 percent of the total), followed by theft of removable media (11 percent of the total) and theft of desktop computers (9 percent). This means that portable devices and media account for half of all breaches. (We designate desktops as “portable” because they are located at the edge of the network, on users’ desks and other workspaces, where they are more accessible to non-authorized users. So even though desktops aren’t really “portable” to users, they are definitely portable to thieves.)

If you step back for a minute, it becomes clear that the reported HIPAA security breaches are behavior-driven, not technology driven. The very features that make laptops and portable media useful - their portability - makes them the greatest risk for theft and, in turn, breaches. In addition, since laptops are more likely used by the most senior clinical and business office people in practice, it is more likely that those people are more likely to have wider access to EPHI. They are also more likely to have access to a greater number of patient records, because they are not working an individual patient record or account like someone in billing or scheduling, they are more likely to be doing reports and dashboards on a large number of patients/cases.

So using a HIPAA-compliant practice management or EHR software package, with robust core IT systems, is rendered meaningless if someone leaves a laptop or other portable device where it can be lost or stolen. That is what I mean by behavior-driven risks. The user(s) actually allow the threats because of the way they use the system.

Interestingly, hacking/IT incidents, which get a lot of attention and worry, accounted for less than 2 percent of the reported breaches. And theft across all locations/devices, including theft of paper records, accounts for 77 percent of all reported breaches.

So what should you as a practice administrator do to avoid ending up as another HIPAA Security breach statistic? There are a few common-sense rules to follow:

• Don’t store EPHI on a laptop or workstation or any devices or other user devices. Files and data should never be stored on local machines. They should be stored on a server and accessed over the office LAN, or if the user is remote, over a secure Virtual Private Network (VPN) connection.
• If EPHI is stored on a laptop, it must be encrypted. The use of GPS/tracking software for the laptop, as well as remote wipe/disable capability in the case it is lost or stolen, is also strongly recommended.
• If EPHI is stored on any portable media, it should only be for a temporary period of time, and proper tracking/destruction/re-use policies should be followed for all portable media.
• Any device that stores EPHI should be kept under lock and key, with access to the physical space where they are contained restricted to authorized users.
In summary, laptops, desktops, and portable media represent - by a wide margin - the most critical HIPAA security threats. Extra care should be taken to secure and encrypt those devices, and you should constantly train your staff on how to minimize the risks represented by those devices. 

Learn more about Marion K. Jenkins and our other contributing bloggers here.