When dealing with a seemingly overwhelming problem, care should be taken to ensure that resources are used most effectively by addressing the causes that have the biggest impact on the issue. Take the case of HIPAA breaches of medical records. Since February of 2010, 26.8 million individuals in the United States have been impacted by a data breach. There are multiple potential causes that could result in these data breaches. So, where should efforts be directed to be most effective?
Looking at actual events and determining the probability of different types of failure can better direct your solutions, even if your organization hasn’t personally experienced a data breach. We do this in a proactive Cause Map, which looks at potential causes and – when data is available – determines the relative probability of each contributing cause. Luckily for us, this analysis has already been performed for data breaches reported to the HHS since February 2010. We will use here breach analysis and graphs created by medical software research resource Software Advice in a recent report on the subject.
The biggest cause of patient data record breaches is theft. Theft accounts for at least 48% of breaches. (There were also incidents described as combination, other or unknown, which may also involve theft.) As an example, a health insurance provider lost nine server drives that included information for 1.9 million people, two years after a portable disk drive was stolen that included personal data for 1.5 million members. (View our analysis of patient data breaches caused by theft in our previous blog.)
The next largest cause of patient data breaches is unauthorized access. Unauthorized access is the cause of 18% of data breaches. These types of breaches have the potential to result in employee action in addition to the other goals that are impacted. These events may involve outside contractors, or “Business Associates” (BAs). BAs are involved in 22% of incidents, but account for 48% of impacted individuals due to data loss. An example of a patient data breach caused by an outside contractor is the case involving records of 20,000 patients, which were posted online by a contractor. (View our analysis of this data breach in our previous blog.)
Loss accounts for 11% of patient data breaches. This includes the largest patient data breach from the time period covered, when a TRICARE BA (contractor) lost backup tapes, impacting the records of nearly 5 million patients. Improper disposal, such as when a shredding company abandoned the records of 277,000 patients in a public park, accounts for 5%. Hacking also occurred in 6% of breaches, such as when the servers at the Utah Department of Health were broke into and records for almost 800,000 people were stolen. (Remaining events are classified as a combination of the above, other, or unknown.)
The HIPAA Omnibus Rule clarified liability for Business Associates and subcontractors, which should serve to reduce their involvement in data breaches. But for the events that don’t involve outside parties, how can these events be reduced?
Focusing on two of the most likely causes of breach – theft and loss – encryption can reduce the risk that data can be accessed if physical devices are stolen. Laptops account for 22% of breaches, and other portable devices account for 12%. However, encryption won’t help with paper records, which account for 23% of data breaches. In these cases, limit to access of records and prevention by removing records from the storage site can help, as can moving from paper records to electronic health records, which accounted for only 2% of data breaches. However, the storage devices used for electronic health records, including laptops, as discussed above, network servers (10%), computer (13%) are more likely to be involved. Because physical storage devices account for so many data breaches, whether or not electronic records are being used, cloud storage is worth consideration. Although hacking is still a concern, remember that it accounts for just 6% of breaches – as opposed to theft and loss, which make up nearly 60% of breaches.
To view the proactive analysis/ Cause Map of these data breaches, please click “Download PDF” above. Or click here to read more.