The following is written by Marion K. Jenkins, PhD, FHIMSS, founder and CEO of QSE Technologies.
A recent report by HITRUST (Health Information Trust Alliance, www.hitrustalliance.net), a national consortium of healthcare professionals that focuses on healthcare data security, provides an interesting and comprehensive overview of reported HIPAA Security breaches from Sept. 2009-June 2010. The report analyzes 108 reported breaches involving 3.6 million records, or EPHI (electronic protected health information). The report further categorizes the breaches according to eight different "locations" (i.e., where the EPHI was stored). This included laptops, backup tapes, network server, desktop computers, etc. As another dimension, the report grouped the incidents into nine different "types" (i.e., how the data was lost/compromised) including theft, improper disposal, hacking/IT incident, misdirected e-mail, etc. Combining these two categories, there are a total of 72 different combinations of location x type.
The most impactful conclusion, in this author's opinion, is that the HITRUST report shows that out of these 72 combinations, the number one cause of HIPAA breaches is theft of laptops (30 percent of the total), followed by theft of removable media (11 percent of the total) and theft of desktop computers (9 percent). This means that portable devices and media account for half of all breaches. Note: We have made the determination here that desktops are "portable" in the sense they are located at the edge of the network and are on users' desks and other workspaces where they are more accessible to non-authorized users. So even though desktops aren't really "portable" to users, they are definitely portable to thieves.
If you step back and think about this for a minute, it becomes clear that the reported HIPAA Security breaches are behavior-driven, not technology-driven. As we have mentioned before in this column, the very features that make laptops and portable media useful — their portability — makes them the greatest risk for breaches. In addition, since laptops are more likely used by the most senior clinical and business office people in an ambulatory surgery center, they are more likely to have wider access to EPHI. They are also more likely to have a greater number of patient records, because they are not working an individual patient record or account like someone in billing or scheduling — they are more likely to be doing reports and dashboards on a large number of patients/cases.
So using a HIPAA-compliant ASC software package, and having servers with redundant RAID drives, sitting behind a firewall and backed up daily and/or weekly, is meaningless if someone leaves a laptop or other portable device where it can be lost or stolen. That is what I mean by behavior-driven risks: The user(s) actually enable the threats because of the way they use the system.
Interestingly, hacking/IT incidents, which get a lot of attention and worry, accounted for less than 2 percent of the reported breaches. And theft across all locations/devices, including theft of paper records, accounts for 77 percent of all reported breaches.
So what should you, as an ASC owner/manager/administrator, do to avoid ending up as another HIPAA Security breach statistic? There are a few common-sense rules to follow:
- Don't store EPHI on a laptop or workstation or any devices or other user devices. Files and data should never be stored on local machines. They should be stored on a server and accessed over the office LAN, or if the user is remote, over a secure Virtual Private Network (VPN) connection.
- If EPHI is stored on a laptop, it should be encrypted. This is a must. The use of GPS/tracking software for the laptop, as well as remote wipe/disable capability in the case it is lost or stolen, is also strongly recommended.
- If EPHI is stored on any portable media, it should only be for a temporary period of time, and proper tracking/destruction/re-use policies should be followed for all portable media.
- Any device that stores EPHI should be kept under lock and key, with access to the physical space where they are contained restricted to authorized users.
In summary, laptops, desktops and portable media represent — by a wide margin — the most critical HIPAA Security threats for surgery centers.
Marion K. Jenkins, PhD, FHIMSS, is founder and CEO of QSE Technologies, which provides IT consulting and implementation services for ASCs and other medical facilities nationwide. Learn more about QSE Technologies at www.qsetech.com. For a copy of the complete HITRUST report, you may email the author at marion.jenkins@qsetech.com.
Read more from Marion Jenkins:
- Your Software Vendor: A 'Backdoor' Into Your Surgery Center's IT Systems?
- Zero-Day Exploits — Significant Threat to Your Surgery Center's Data
- WikiLeaks Episode Underscores Risk of Portable Media in Surgery Centers