Carelessness behind many health data breaches
■ Mishandling patient information, whether paper or electronic, can cost millions in fines even if no harm is intended.
- WITH THIS STORY:
- » External links
For all the high-tech security work that physician practices do so that no outsiders get unauthorized access to their patients' data, one very low-tech cause of data insecurity often is overlooked: plain old forgetfulness.
For example, Massachusetts General Hospital on Feb. 24 settled with the Dept. of Health and Human Services to a pay a $1 million fine for a patient data security breach that was not caused by a hacker breaking into its system. Instead, HHS said, it was caused by an employee who inadvertently left a stack of paper files on a subway train on the way to work.
Kaufman, Rossin & Co., an accounting firm in South Florida, issued a report in February that found practices and hospitals are more likely to experience a breach because of an employee losing a thumb drive, mobile device or stack of paper files than because they were targeted for a malicious hacking.
The firm analyzed 166 breaches affecting 500 or more patients that were reported to HHS' Office for Civil Rights from September 2009 to September 2010 and found that theft and loss were the leading causes.
"Humans truly are the biggest vulnerability within an organization with regard to security and privacy," said Rebecca Herold, a privacy and data security consultant based in Iowa.
Whether patient data are stored on a stack of paper files or a mobile computing device, many organizations don't have, or don't enforce, written policies on how the data should be handled, Herold said.
The privacy rule of the Health Insurance Portability and Accountability Act of 1996 set fines and enforcement against practices, hospitals and others that didn't protect patient data. But the Health Information Technology for Clinical Health Act of 2009, part of the 2009 economic stimulus package, raised stakes by increasing the possible fine to $1.5 million for each patient whose data were breached.
Not that a federal fine would be the only cost. The Ponemon Institute, which researches data privacy issues, issued its annual report March 8 analyzing the cost of data breaches. It found that the price for failing to protect patient data rose from $301 per breached file in 2009 to $345 in 2010. The costs included administrative expenses, such as notification, and the loss of business.
Still, often practices are too cavalier about how information leaves their offices, according to Kaufman, Rossin.
Employees bring stacks of paper files to and from the office, download patient information onto personal laptops and take thumb drives from work -- all with good intentions of working at home after hours but also exposing the data to more risk.
Practices need to understand where their information is stored, which could be multiple places, and how it is flowing throughout the organization regardless of whether it is on paper or electronic, said Jorge Rey, an information and IT audit manager for Kaufman, Rossin and co-author of the accounting firm's report.
Often, a breach "is pretty much human error and sometimes more like neglect," Rey said. Physicians and practice employees "are aware that breaches occur, but they are not necessarily fully aware they have sensitive data that can put the institution at risk of a breach."
In the Massachusetts General Hospital case, HHS said the facility failed to "implement reasonable, appropriate safeguards to protect the privacy of [patient information] when removed from Mass General's premises." The loss of paper files affected 192 patients of the hospitals' infectious disease outpatient practice, including patients with HIV/AIDS.
Policies must be instituted
The hospital system was not required to admit guilt, but HHS ordered it to develop and implement policies and procedures to ensure patient data are protected when removed from the premises. Mass General also is required to train workers on these policies and procedures and submit to a monitor that will issue semiannual compliance reports to HHS for three years.
Mass General said in a prepared response to the settlement that it will issue new or revised policies and procedures regarding the physical removal and transport of personal health information, laptop encryption and USB drive encryption.
Rey said policies should acknowledge that sometimes physicians or other employees need to access data at home. But practices must identify what can go wrong and look at ways of reducing the chances of those things happening, he said.
For example, one way to minimize exposure is with Web-based applications that allow remote access to secure databases. Accessing the data remotely will ensure that nobody transports physical copies -- or physical devices with the information -- between work and home, Rey said.
When those policies are put in place, organizations need to revisit and update their policies and monitor their systems for possible risks, experts said.
"This is not a one-time thing," said Avishai Wool, chief technology officer and co-founder of AlgoSec, a Roswell, Ga., company that provides security and risk management auditing.
Data privacy laws have "big teeth," so constant vigilance is necessary, he said.