Electronic Health Reporter

What follows is a nice, yet concise, infographic developed by Clearwater Compliance — an organization that helps health systems ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI) – that provides a nice overview of the current state of healthcare breaches.

Clearwater Compliance states that according to Breach Level Index, there were 336 healthcare data breaches reported in the U.S. last year; “the Office for Civil Rights portal on the HHS website cited 165 breaches affecting 500 or more individuals in 2014.”

Interesting, the organization points out that non-digital breaches remain an issue. “Paper data breaches accounted for 9 percent of compromised records in the first half of 2014 – and a surprising 31 percent in the second half. In total, nearly 200,000 paper records were compromised last year, along with nearly 60,000 pieces of individually identifiable health information ranging from lab specimens to radiology film,” wrote the Clearwater Compliance team.

Additionally, insider mistakes and malice can be costly. In breaches examined, there were 45 incidents involving insider actions that resulted in the compromise of more than 478,000 records. “That means that about half of all the incidents we studied involved either mistakes or malice by an organization’s own employees and business associates.”

Clearwater Compliance makes the case that, despite an organization’s best efforts, “it’s almost impossible to eliminate all workforce-related data breaches. But organizations can take steps to foster an atmosphere of compliance and prevention.”

Lindy Benton, CEO of MEA|NEA, recently wrote in a piece for MultiBriefs: “According to the Wall Street Journal, Forrester Research recently conducted a survey of more than 2,100 healthcare IT pros and found that only about 60 percent of them said they encrypt devices like laptops, smartphones or tablets. Also according to the research, 39 percent of healthcare security incidents since 2005 have included a lost or stolen device.

“For some additional perspective, since federal reporting requirements started, the U.S. Department of Health and Human Services has tracked major breaches (those affecting 500 people or more) and has identified more than 945 incidents affecting patients’ personal information, affecting more than 30 million people.

“A majority of these breaches are tied to theft (17.4 million people), followed by data loss (7.2 million people), hacking (3.6 million) and unauthorized access of accounts (1.9 million people), according to The Washington Post. And these numbers do not even include the Community Health Systems numbers.

“As data breaches continue to occur and sensitive patient data becomes more highly sought after, some organizations are beginning to realize the importance of the cloud and mobile storage solutions to protect their data from breach, while others are maintaining more traditional approaches of keeping their information ‘safe’ onsite,” she wrote.

According to Clearwater Compliance’ Jim Vincent, organizations needs to implement and monitor administrative safeguards, and “everyone in the organization needs to be actively engaged in self-monitoring and reporting potential incidents. All employees and business associates need to be aware of the organization’s sanctions policies – and those penalties need to be imposed quickly and consistently.”

“Some healthcare organizations are apt to congratulate themselves on getting through 2014 without a colossal data breach. But there are a host of other incidents – including paper breaches, misplaced x-rays, stolen laptops and employee snooping – that can still result in significant financial and reputational costs,” he wrote.

And he’s right.

Data breaches are now a cottage industry for healthcare and leaders need to do more than hope for the best.

Vincent goes on, providing a sound, final warning: “The main lesson from 2014 is that organizations need to continuously assess the maturity of their information risk management efforts – and to not view those initiatives as a narrow ‘HIPAA compliance’ issue.”

Benton offers some sound words, too: “Organizations can’t rely on a single approach to security or solutions to house their data, nor can they expect that they’ll always be in control of their organizational data. Also, just because data is on site doesn’t mean the organization is any less of a HIPAA risk.

“This fact won’t bring the headlines to a halt and won’t help protect data in any way, but it may help healthcare leaders realize that there are alternative approaches or solutions to where data can kept and how it is secured and managed.

“Healthcare data needs to be secured, using commonsense methods and using some heavy lifting, perhaps even up to the cloud for protection when it’s needed most.”