A Caution When Leaving Employees To Their Own Devices


Dec 4, 2014 TigerText

7 Million Patients Records Compromised

Figures released by the Department of Health and Human Services´ Office for Civil Rights shared there were 199 breaches of “protected” health information last year affecting 7,095,145 patient records – more than the population of Massachusetts!

But this hardly tells the whole story, as the Office for Civil Rights is only required to reveal details of HIPAA data breaches in which the number of patient records compromised is equal to or greater than five hundred.

In fact the Office of Civil Rights received more than 90,000 complaints about HIPAA data breaches in 2013; and even if you eliminate the 53,000 complaints that were closed because the Office of Civil Rights “lacked jurisdiction” from a withdrawn complaint or no violation of HIPAA, that leaves 37,000 complaints which (by default) were justified.

Left to Their Own Devices

Incredibly, 90 of the 199 HIPAA data breaches reported by the Office for Civil Rights involved the theft of a mobile device or desktop computer – including the top three individual data breaches which alone accounted for 5.59 million compromised health records.

Now, just think about this for a minute. If the patient data contained on those three mobile devices and desktop computers had been encrypted as required by the HIPAA Security Rule, “only” 1.5 million patient records would have been compromised in 2013 – slightly more than the population of New Hampshire.

That is a massive difference for something which is relatively simple to do, so why are healthcare organizations failing to take the necessary steps to protect their patients´ healthcare information? The only possible explanation is that the encryption PHI was categorized as an “addressable” requirement in the HIPAA Security Rule and, left to their own devices, the healthcare organizations have just not bothered to “address” the issue.

Addressable Issues are Not Optional

The HIPAA Security Rule uses the terminology “addressable” and “required” in its technological, physical and administrative safeguards. “Required” does not need any explanation, but maybe (for the benefit of healthcare authorities) the term “addressable” does.

Addressable means that the standards of the HIPAA Security Rule must be implemented unless risk assessments conclude that implementation of a particular standard is not reasonable and appropriate. If, having conducted a risk assessment, it is found that a particular standard is not reasonable and appropriate, then alternative safeguards must be put in place to replace the addressable safeguard.

Here´s an example:

If PHI is being communicated between two devices in an office via a private network which does not use an open telecommunications channel, then there is no need to encrypt it. If however, unencrypted PHI is being communicated over the Internet, via email or via a text service, there is a substantial risk of HIPAA data breaches. Indeed anybody in the IT industry would say that it is practically inevitable that the data will be compromised over a period of time.

Most conducted risk assessments should identify that the open communication of PHI represents a risk that must be addressed. Failing to address the risk is not an option and represents “willful neglect”. The Office of Civil Rights comes down pretty hard on healthcare organizations who engage in willful negligence, as we see from the substantial data breaches over the last year.

Lessons Learned the Hard Way

When the Office of Civil Rights catches up with a healthcare organization guilty of willful neglect, it isn’t pretty. The following are just a handful of examples of financial penalties handed out to negligent healthcare organizations following HIPAA data breaches. The guilty organizations also had to adopt “corrective measures” and report to the Office of Civil Rights semi-annually on how those measures were progressing.

  • In September 2012, the Massachusetts Eye and Ear Infirmarywas slapped with a $1.5 million fine after the theft of one laptop containing unencrypted clinical information and details of patients´ prescriptions.
  • The following December the Hospice of North Idaho was fined $50,000 after the theft of a laptop containing unencrypted PHI was reported. Significantly, this was the first fine issued by the Office of Civil Rights for a HIPAA data breach of less than 500 patient records.
  • Into 2013 and the Idaho State University agreed to pay a $400,000 fine after a firewall protecting approximately 17,500 unencrypted patient records at the Pocatello Family Medicine Clinic was disabled – and left disabled for ten months!
  • Skipping forward to the end of 2013, and the Adult & Pediatric Dermatology Practice in Concord, Massachusetts got rocked for $150,000 following the theft of a thumb drive which contained unencrypted data relating to 2,200 patients.
  • In the summer of 2014, another fine was slapped on a healthcare organization for a HIPAA data breach which affected less than 500 patient records. This time QCA Health Plan of Arkansas were in the soup (and $250,000 poorer) after a laptop containing the unencrypted PHI of 148 individuals was stolen from an employee´s car.

Recognizing a theme running through the above? When you leave healthcare organizations to their own devices – get encrypted or don´t expect much sympathy when HIPAA data breaches happen!

Learn how you can use TigerText to keep all communication encrypted and secure, no matter the device, today!