According to a report produced by the Health Information Trust Alliance (HITRUST), there has been little progress in reducing the amount of healthcare related data breaches.
A close look at the HHS data reveals that since 2009 the industry has experienced 495 breaches involving 21 million records at an estimated cost of $4 billion. With the annual number of total breaches remaining fairly consistent, hospitals and health systems is one of the few groups that can claim some improvements in protecting health information with the largest decline in reported breaches.
HITRUST spotlighted smaller medical practices as one of the largest areas of concern. Organizations with 1-100 employees account for 60% of all data breaches. This segment has less awareness and resources to implement security and to prevent breaches.
In addition, HITRUST believes that Stage 1 meaningful use may have incentivized and/or raised awareness for the need for security, particularly in the most likely areas of laptops, desktops and mobile media. However, the data indicates that physician practices, which should be similarly motivated by meaningful use incentives, have continued to demonstrate a lack of progress. This is especially true of smaller physician practices where those with one-to-100 employees account for over 60 percent of the breaches reported in the segment. The analysis indicates that organizations such as these likely lack the awareness and resources in order to adequately recognize the issues and take actions to preempt future breaches. As the interconnectivity of organizations increases through community health records and health information exchanges, small practices may pose a new and significant risk to larger entities that have begun to get a handle on security and privacy.
There is a critical need for healthcare education tailored to security for smaller organizations. HITRUST also recommends that physicians proactively address their security initiatives.
The report identified other areas of concern:
- Even in this electronic age, breaches of paper records remain significant among the leading segments (providers, payers, government) with errors in mailing and disposal of records playing a substantial role in some of the highest profile paper-based breaches. Since 2009, paper records comprise 24 percent of healthcare breaches, second only to laptops.
- Business associates continue to account for a significant number of breaches (21 percent) and are implicated in a majority of the records breached to-date (58 percent). This continues to be a problem across all organization types, with physician practices struggling the most.
- The average time to notify individuals and HHS following a breach is 68 days, with over 50 percent of organizations failing to notify within the 60 day deadline set by HITECH.
It is clear that a lot more needs to be done to protect patient information. Smaller organizations that lack security resources need to find partners that can help them and implement additional safeguards. Now is the time to get serious about protecting patient information.