Blog: Hoping for 'progress' on health data breaches
It should be an outrageous number—80,000 breaches—but crazy as it seems, that huge number might be a sign of progress.
I interviewed a group of health IT security specialists last week for a story we published about breaches and encryption.
One of them was Michael "Mac" McMillan, CEO of CynergisTek, an Austin, Texas-based security consultancy. We were talking about an e-mail I had just received from HHS' Office for Civil Rights reporting there had been about 60,500 healthcare information breaches involving fewer than 500 individuals between September 2009, when the federal breach reporting requirement began, and December 2011.
Providers and other HIPAA covered entities are required to report these lesser breaches to the Office for Civil Rights only once a year, so we were speculating about how many there will be once all of the 2012 reports have been sent.
"We're probably going to be talking about 90,000, unless you think 2012 was a good year, for some reason," McMillan said. "If I were to pick a conservative number, I'd pick around 80,000."
Incredibly, even if McMillan's "conservative" forecast holds, 2012 will have been a better-than-average year—an average of 1,625 breaches a month in 2012 vs. 2,151 a month in the preceding 28 months.
And that outcome will be somewhat surprising because provider spending on health IT security has remained both inadequate and flat for the past five years, according to Lisa Gallagher, senior director of privacy and security at HIMSS, based on the latest HIMSS security survey.
If it turns out that there were fewer smaller breaches in 2012, coercion may have been the catalyst.
In 2011, HHS' Office of Inspector General put the spurs to the Office for Civil Rights, accusing it of lax enforcement of the HIPAA security rule.
From 2011 onward, the office has reached settlements in or prosecuted seven of its 11 monetary penalty cases and collected $11.5 million (77%) of its nearly $14.9 million in settlement amounts and court-ordered penalties for HIPAA violations.
In addition, the CMS added specific references to HIPAA-required security risk analysis to the federal EHR incentive payment programs' meaningful-use requirements. The feds insist that, to get paid, providers at least consider protecting patients' data via encryption, even though by law the feds can't mandate it.
There have been 525 breaches involving 500 or more records exposing more than 21.4 million patients' records. Summaries of these are posted publicly on the "wall of shame" kept by the Office for Civil Rights.
Forty-two percent of the larger breaches involved laptops, backup disks and other portable devices. Had the data on those gizmos been encrypted, those organizations wouldn't be on the list, and the millions of patients whose records went missing never would have been put in jeopardy.
"There is no excuse" for not using encryption, cryptographer Phil Zimmermann told me. "Any hospital or anybody who has medical records, they have to use encryption, and if they're not, they're being negligent."
Zimmermann developed one of the most popular encryption software programs on the planet—Pretty Good Privacy—or PGP.
I can't argue with him. Can you?