There was a 30% increase in the number of breaches on the Identity Theft Resource Center’s (ITRC) 2013 breach list released earlier this year compared to 2012. And the highest percentage occurred in the healthcare industry: 44% compared to 34% for the business sector, which has topped the list since 2005.
One reason for the dramatic increase is the tougher reporting requirements of the Health Insurance Portability and Accountability Act (HIPAA) final rule that became effective in 2013. The U.S. Department of Health and Human Services (HHS) recently submitted its annual breach report to Congress for 2012. It showed that theft continues to be the leading cause of breaches of unsecured protected health information (PHI); the percentage increased to 52% in 2012 from 49% in 2011.
What happened in 2013? HHS is still compiling the data, but in the meantime, a 2014 benchmarking study of 505 healthcare organizations conducted by Ponemon Institute showed a slight decrease in the number of breaches reported in 2013.
According to Ponemon’s “Fourth Annul Benchmark Study on Patient Privacy and Data Security,” the cost of data breaches to healthcare organizations continues to average about $2 million over a two-year period. Based on the experiences of the 2014 participants, Ponemon estimates the cost to the healthcare industry could be as much as $5.6 billion annually.
Employee negligence is the biggest security risk, according to the benchmarking study. Three-quarters of the organizations ranked it their biggest worry, followed by use of public cloud services (41%) and mobile device insecurity (40%). Despite that, 88% of the organizations permit employees and medical staff to use their own mobile devices, such as smart phones and tablets, to connect to the organization’s networks.
Participants also expressed their lack of confidence in business associates to protect data against breaches. Interestingly, the HHS report revealed that healthcare providers accounted for the majority of breaches in 2011 and 2012, 63% and 68%, respectively; business associates accounted for 27% and 25%, respectively.
One thing is certain: healthcare organizations are continuing to struggle to comply with the HIPAA final rule.
ARMA International encourages organizations, regardless of industry sector, to review their policies and practices related to cloud services, BYOD, and mobile device security. Organizations are best served by having established practices in place prior to a data breach occurring. This allows them to respond more quickly and effectively if/when a data breach occurs. The following resources can be useful in establishing these practices:
- Comparison of Data Breach Laws Across the United States – job aid at www.arma.org/bookstore
- The International Association for Privacy Protection – ARMA maintains a key partnership with this organization, which has many resources available for addressing data breach notification programs and related issues.
- Mobile Communications and Records and Information (ARMA TR 20-2012) – An ARMA technical report (ARMA International)
- Guideline for Outsourcing Records Storage to the Cloud – (ARMA International)