Healthcare organizations seeking to maximize the number of patient records they can expose through a given security breach should consider contracting for professional help.
I'm only being partially facetious.
Let's look at the facts.
Healthcare organizations seeking to maximize the number of patient records they can expose through a given security breach should consider contracting for professional help.
I'm only being partially facetious.
Let's look at the facts.
There have been 588 major breaches of healthcare records posted to the “wall of shame” website operated by the Office for Civil Rights at HHS since a federal reporting requirement went into effect in September 2009.
Business associates of the HIPAA-covered entities held primarily responsible for securing that sensitive data were involved in 129 of those breaches, or 22% of the total.
But “BAs” are to data breaches what gasoline is to fire—an accelerant.
If you want a big, honking, flaming breach, hire a BA, because they've managed to expose just over 12.2 million patients' records in those 129 breaches. That's a disproportionate, 56% share of the nearly 21.8 million individuals' records subjected to breaches on the OCR's list.
Of those 12.2 million individuals' records that went bye-bye, business associates have let thieves steal 34% of them; lost another 16%; allowed unauthorized persons access to 14%; mailed 12% to the wrong people; exposed 10% to hackers and otherwise bungled away the remaining 14%, according to a report by the data security consortium Health Information Trust Alliance, known as HITrust.
There have been 101 different business associates implicated in those 129 breaches, the OCR data shows. Yes, that's right; that means there have been frequent fliers—17 BAs, in fact, that have helped more than one of their clients make headlines.
Less than half of healthcare data handlers, including BAs, are compliant with the HIPAA security rule, according to Daniel Nutkis, CEO of HITrust, which only recently, in its sixth year, scored a coup in that several of its largest members have committed to requiring their business associates undergo and pass a standardized, third-party security review.
“We know that more than 50% of organizations don't use two-factor authentication for remote access” to protected health information,” Nutkis said in a recent telephone interview. “We also know that 50% of computers” that are used to access patient information “have malware on them; and there is a significant amount of password sharing.”
“When they submit stuff to us,” for security rule compliance verification, “they just come up with every cockamamie excuse you could think of” for noncompliance, Nutkis said.
It shows—eventually—on the wall of shame.
Follow Joseph Conn on Twitter: @MHJConn
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.