Thanks to HITECH, we have been able to get a better grasp of medical data breaches: how many there are in a given year, how many people are affected, and how it occurs (paper documents, laptop loss, laptop theft, etc). All signs point for more use of data security tools like drive encryption software from AlertBoot, seeing how the loss and theft of portable digital devices account for more than half of breaches involving the PHI of more than 500 people, which is publicly listed.
(Breaches involving less than 500 are not readily made public — not at a granular level, anyhow. However, the Department of Health and Human Services does reveal the numbers as part of an annual report.)
One of the things that I’ve often wondered about, though, is how often does a breach hit a HIPAA covered-entity? The answer to this question is not readily available using the HHS’s tools.
According to a HIMSS Analytics report (covered by ihealthbeat.org), a survey of 250 IT executives at hospitals revealed the following:
The number of US hospitals that experienced a data breach in the past 12 months was 27%. In a 2010 survey, the number hit 19%.
Of those who did have a data breach:
31% experienced one breach (43% in 2010) – 12% increase
28% experienced two breaches (28% in 2010) – same
35% experienced three to nine breaches (15% in 2010) – 20% decrease
6% experienced ten or more breaches (15% in 2010) – 9% decrease
Since the surveys are for the previous 12 months, the 2010 figures reflect breaches in 2009.
At Odds with HHS Wall of Shame?
Based on the above survey, the implication is that medical organizations are getting better at defending patient data. At AlertBoot, for example, we are aware that more medical organizations have been looking for disk encryption software to protect their laptops (no doubt, in part a result of the HITECH Breach Notification Rule, which provides safe harbor from sending breach notifications to patients if encryption software is used).
At the same time, the distinct impression that I got from the “HIPAA Breach Wall of Shame” was that data breaches have increased over the years, not decreased. So, what gives?
Assuming that we’re not dealing sampling errors, it’s pretty apparent that hospitals that had egregious patient data security practices have finally started to get a handle on their problems. This probably accounts for the large decrease in organizations that had more than three breaches in a given year. At the same time, when you reflect that all data breaches cannot be weeded out, some of these same organizations probably had one incident, contributing to the increase of hospitals reporting one breach in the past twelve months.
Plus, the total number of breaches jumped from 19% to 27%, which is in line with what’s being reported at the HHS site.
Making a Prediction
I get the feeling that, going forward, we’ll probably see the same trend: the number of hospitals and other medical organizations reporting multiple breaches will continue to decrease as they get a better handle on securing and managing PHI in the digital age.
But, data breaches are, unfortunately, unavoidable. They just are. For example, even if a hospital encrypts all of their laptops, desktops, and prevents 100% the use of USB devices (by physically gluing shut the USB ports), there are other ways to lose data such as emailing a spreadsheet to the wrong address, or someone printing a document and taking it home.
So, we’ll probably see an increase in organizations that report at least one or two breaches each year, even if they reach the peak of data security optimization.
Plus, the total number of breaches will continue to increase as more and more organizations join the EMR/HER trend.