Join, Follow & Connect
Join Modern Healthcare's LinkedIn group Follow Modern Healthcare on Twitter Join Modern Healthcare's Facebook group Follow Modern Healthcare's Pinterest board Modern Healthcare's Flickr page Modern Healthcare's YouTube Channel Get a Modern Healthcare news feed
 

IT Everything

A witness to history in healthcare information technology.
Comment Buy Reprints Print Article Share on LinkedIn Share on Facebook Share on Twitter
By Joseph Conn

IT Everything: Health IT Blog — Business associates tied to big breaches

Healthcare organizations seeking to maximize the number of patient records they can expose through a given security breach should consider contracting for professional help.

I'm only being partially facetious.

Let's look at the facts.

There have been 588 major breaches of healthcare records posted to the “wall of shame” website operated by the Office for Civil Rights at HHS since a federal reporting requirement went into effect in September 2009.

Business associates of the HIPAA-covered entities held primarily responsible for securing that sensitive data were involved in 129 of those breaches, or 22% of the total.

But “BAs” are to data breaches what gasoline is to fire—an accelerant.

If you want a big, honking, flaming breach, hire a BA, because they've managed to expose just over 12.2 million patients' records in those 129 breaches. That's a disproportionate, 56% share of the nearly 21.8 million individuals' records subjected to breaches on the OCR's list.

Of those 12.2 million individuals' records that went bye-bye, business associates have let thieves steal 34% of them; lost another 16%; allowed unauthorized persons access to 14%; mailed 12% to the wrong people; exposed 10% to hackers and otherwise bungled away the remaining 14%, according to a report by the data security consortium Health Information Trust Alliance, known as HITrust.

There have been 101 different business associates implicated in those 129 breaches, the OCR data shows. Yes, that's right; that means there have been frequent fliers—17 BAs, in fact, that have helped more than one of their clients make headlines.

Less than half of healthcare data handlers, including BAs, are compliant with the HIPAA security rule, according to Daniel Nutkis, CEO of HITrust, which only recently, in its sixth year, scored a coup in that several of its largest members have committed to requiring their business associates undergo and pass a standardized, third-party security review.

“We know that more than 50% of organizations don't use two-factor authentication for remote access” to protected health information,” Nutkis said in a recent telephone interview. “We also know that 50% of computers” that are used to access patient information “have malware on them; and there is a significant amount of password sharing.”

“When they submit stuff to us,” for security rule compliance verification, “they just come up with every cockamamie excuse you could think of” for noncompliance, Nutkis said.

It shows—eventually—on the wall of shame.

Follow Joseph Conn on Twitter: @MHJConn

Comment Buy Reprints Print Article Share on LinkedIn Share on Facebook Share on Twitter

What do you think?

Share your opinion. Send a letter to the Editor or Post a comment below.

Post a comment

Loading Comments Loading comments...




Blog Tags

Search ModernHealthcare.com:

Daily Dose MH Alert MH AM HITS Modern Physician Most Requested
LinkedIn Twitter Facebook Flickr News Feeds Google Plus Page - Publisher
 

Switch to the new Modern Healthcare Daily News app

For the best experience of ModernHealthcare.com on your iPad, switch to the new Modern Healthcare app — it's optimized for your device but there is no need to download.