Statistics on healthcare data breaches are staggering. Since the Department of Health and Human Services (DHHS) created a mandate for the reporting of such breaches in 2009, the number of data breaches has increased from 199 in 2010 to 365 in 2018. Though that may not sound like a lot considering that there are about 6,000 hospitals in the United States and hundreds of thousands of other healthcare-related facilities, the number of reported data breaches does not necessarily correlate with the number of records breached.
In 2015, for example, there was a decrease in reported data breaches, down to 269 from the 314 reported in the year before. However, there were over 113 million medical records breached, making 2015 the worst year of exposed medical records in history so far.
Of the top 25 breaches that exposed the most records, 22 were categorized as “theft”, “unauthorized access”, or “hacking/IT Incident.” Not all of these incidents are avoidable, as the potential for cybercriminals to hack a system is just as common with healthcare organizations as it is with our own personal data. But the protection of electronic health records (EHRs) and avoiding the release of those records upon a data breach is something that can be prevented.
Common Threads in Data Breaches
In recent years, a common thread among some of the biggest and most costly breaches is the lack of encrypted hardware:
- The University of Texas MD Anderson Cancer Center is still actively appealing the $4.3 million dollar HIPAA penalty imposed by the DHHS in 2018. There were three separate security incidents in 2012 and 2013 – the theft of an unencrypted laptop and the loss of two encrypted USB thumb drives.
- Also in 2018, Fresenius Medical Care North America in Massachusetts agreed to pay a $3.5 million dollar settlement over five separate HIPAA violations from 2012. One incident involved a stolen unencrypted USB drive and another involved a stolen hard drive.
- Yesterday, the University of Rochester NY Medical Center has agreed to pay a $3 million dollar penalty for HIPAA violations. The incidents included a stolen, unencrypted flash drive in 2013 and a stolen, unencrypted laptop in 2017.
Expectations of Healthcare Organizations
There is an overwhelming public expectation that our medical data remain safe, private, and confidential. This is based in part on the legal requirements imposed on healthcare organizations through the HIPAA Privacy and Security Rules. Most of the medical data collected by organizations contains our personal data like our social security numbers, potential financial data including payment and insurance information, and of course, our medical data, including diagnoses, medications, even our allergies. This information encapsulates the most personal information about us, which is why the need for encryption is so critical.
It is important to understand that the Office of Civil Rights (OCR), which is the division of DHHS that investigates HIPAA violations, does not distinguish between an encrypted or unencrypted data breach. Any HIPAA penalties are based on the number of breached records. However, in the case of MD Anderson Cancer Center, $1.3 million of the $4.3 million dollar fine was imposed specifically for failure to encrypt devices containing EHR. The remaining $3 million was for the three data breaches themselves.
Even though encryption is not specifically cited as a requirement of HIPAA and therefore not “mandatory,” it is considered an “addressable implementation.” The failure to implement encryption is why the judge in the case sided with the OCR. OCR Director Roger Severino stated in a press release that “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”
Encryption for All
Every person is entitled to the privacy and security that encrypted drives provide and often assume that healthcare organizations are using this type of technology to keep their data protected. The use of encrypted drives or equipment is by far one of the most effective methods to ensure that the data itself is unusable in the event of loss or theft. Healthcare organizations can provide peace of mind to their patients by using hardware encrypted drives like the SecureDrive BT and the SecureUSB BT from Secure Data.
With two-factor authentication and FIPS 140-2 Level 3 validated encryption, these drives provide the highest level of security and ensure HIPAA compliance. Additionally, administrators can remotely wipe the drives ensuring that even the encrypted data was removed in the attempt to access it.