The Explosion in PHI Data Breaches: Houston, We Have a Problem | Rajiv Leventhal | Healthcare Blogs Skip to content Skip to navigation

The Explosion in PHI Data Breaches: Houston, We Have a Problem

April 30, 2014
| Reprints

Another day, another HIPAA breach at a healthcare organization. Unfortunately, from a data security standpoint, that could be a headline for the health IT industry these days, which has become a sitting target for data breaches, many of which involve patients’ protected health information (PHI).

Here at Healthcare Informatics, we report on the big industry breaches, though it would be impossible to cover even all of those. But just in recent weeks, we have written about HIPAA settlements from two security breaches in Arkansas and Missouri; an incident when a Tennessee healthcare employee gave patients’ PHI to a competing provider; a fraudulent tax return scheme at the well-respected University of Pittsburgh Medical Center (UPMC); and a Los Angeles County data breach that astonishingly may have involved more than 300,000 patients.

What’s more, a recent report from Redspin, Inc., a Carpinteria, Calif.-based provider of IT security assessments, revealed that in 2013, the number of PHI breaches were up 138 percent from 2012, with 199 incidents of breaches of PHI reported to the Department of Health and Human Services (HHS) impacting over 7 million patient records. The report, the fourth annual one from Redspin, found that nearly 30 million Americans have had their health information breached or inadvertently disclosed since 2009. Heck, HHS has a “wall of shame” on its website for breaches affecting 500 or more people. The secret is out: Houston, we have a problem.

One of the most unfortunate parts about all of these infringements is that all across the country it’s often the same type of crime that is being committed. Far too frequently in healthcare organizations, we will see data out, laptops left open, and medical equipment that stores patient data being left around. These are the key problems, and it’s seen more in healthcare than in any other industry, said Jason Polancich, a 20-year veteran of the U.S. intelligence community and co-founder of HackSurfer, a Maryland-based cybersecurity firm, in a December interview with me.

Regardless of the attack method, though, the value for the criminals all lies in the data. Says Polancich: “What can they get access to and what can they sell? So primarily what we see are network intrusions, or employees being paid to provide access to networks and systems. Employees are helping the bad guys for profit, and we’re seeing more of that this year. Either employees are stealing the data, such as pharmaceutical and prescription data, and selling it, or they’re selling identities so these crime drug rings can use them to go out and falsify other information.”

There are many different ways healthcare organizations respond to data breaches, ranging from damage control teams to deeper investigations that may involve federal authorities, but it is becoming clear that reactive methods are not good enough anymore—organizations must be proactive and preventative, or the attacks will not cease.

To start, an organization’s preventative method should center on education. Regular education seminars, materials, and required training classes on protecting data are the norm in other industries, so there’s no reason why they can’t be in healthcare, too. Often, companies have annual training or new hire training, and that’s it. But with the influx of security breaches, there is really no excuse for that anymore—continual education for those who need to be in the know should be a requirement at this point.

Additionally, performing PHI risk assessment needs to be more of a priority for organizations. Facilities should perform a PHI risk assessment to inventory any healthcare information that is personally identifiable.  Organizations must understand where their sensitive data resides, including all stages of information workflow (a study by Ponemon Institute found that 49 percent of respondents do nothing to protect mobile devices), and then, the information should be organized to determine their level of protection.