Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How to prevent healthcare data breaches (and what to do if you're a victim)

Brian Eastwood | Dec. 21, 2012
Personal health information is worth 50 times more to thieves than credit card or Social Security numbers, so it's no surprise that healthcare organizations are prone to data breaches. Preventing them is difficult, and so is mitigating the damage they can cause. Here experts discuss how organizations can avoid breaches and a nonprofit that suffered a breach in 2011 explains how it responded.

Data breaches are unfortunately not uncommon in the healthcare industry. In the last three years, more than 500 breaches affecting 500 or more patient records have been reported to the Office for Civil Rights (OCR)within the U.S. Department of Health and Human Services. OCR estimates that close to 60,000 smaller breaches have occurred in the same timeframe.

Most data breaches begin with a moment of, "You're not going to believe what just happened," says Robert Belfort, a partner with Manatt, Phelps & Phillips LLP. It could be a CD with patient data that goes missing from a storage firm when the employee who signs for it suddenly resigns, or it could be a laptop taken from a car parked in an otherwise nondescript residential neighborhood.

Both incidents are real; the latter occurred in 2011 and involved the Massachusetts eHealth Collaborative ( MAeHC), a small nonprofit that's nonetheless active in influencing national healthcare IT policy. Given the organization's role, "It was no small embarrassment to find out that we had make some critical mistakes," CEO Micky Tripathi says.

What to Do If You're a Victim of a Healthcare Data Breach

Tripathi, Belfort and others spoke at last week's Privacy & Security Forum, presented by Healthcare IT News and the Healthcare Information and Management Systems Society ( HIMSS).

Once an incident is discovered, the first step is determining if a breach actually happened. That's no small task, Belfort says, as there are differences between data breaches and system vulnerabilities or violations of an organization's security policy. Vulnerabilities and violations should be noted, both for auditing purposes and to educate employees about data security, but they don't automatically constitute breaches.

Even if a breach has occurred, Belfort continues, there are two additional questions to consider: Did unauthorized or improper access to personal health information (PHI) occur, and if so, is there any risk to the organization? If an unencrypted laptop containing PHI was in a car that was stolen and subsequently dumped at the bottom of a lake, then the risk of anyone having seen that PHI is low, he says.

The MAeHC incident was a data breach, Tripathi says. Neither the laptop nor the data was encrypted, and although the files were password-protected, it was determined that an "enlightened amateur" could access the data. Of the nearly 15,000 patient records on the laptop, 1,000 put patients at a significant risk of harm, he says, as they contained a patient's name and one of three other pieces of information: date of birth, Social Security number or reason for the appointment.

The next step was notifying those 1,000 patients. Here differing state and federal laws complicated matters. Federal law puts a HIPAA-covered entity at fault. In this case, that would have been the practices for which the MAeHC was a contractor. (The agency was studying error logs for electronic data submissions.) Under Massachusetts law, though, the MAeHC, as the entity that lost the data, was responsible. To avoid confusion, Tripathi says, the eight affected covered entities sent the letters (to meet federal law) but mentioned MAeHC in the first sentence (to cover the state law).


1  2  3  Next Page 

Sign up for Computerworld eNewsletters.