A new data security report issud by healthcare IT security firm Redspin suggests the number of data breaches made known to the U.S. Department of Health and Human Services has increased by 138% over the course of the past year.
The final figures could yet be even higher still, as the report only includes data breaches which have been reported by HIPAA-covered organizations that have affected more than 500 people (incidents involving data being compromised where under 500 individuals are affected do not need to be a matter of public record and are therefore not contained in the report). Even with the strict reporting criteria under the HIPAA Security Rule, many incidents involving data breaches are not reported according to industry representatives.
The total number of people affected by data breaches is currently thought to be around 29.3 million, although there is potential for the actual number of victims is far higher. The Director of Privacy and Security at HIMSS estimated the actual number of victims to be in the region of 40 and 45 million back in 2012.
Even when incidents are made known to the relevant authorities, not all of the complaints are successfully settled. The OCR has been unable to resolve 5,447 cases of suspected HIPAA violations and 53,000 out of the 90,000 complaints it has received resulted in cases being settled. This is not because there was no HIPAA breach, but due to other issues such as a withdrawn complaints or a lack of jurisdiction to follow up on possible security breaches and procedural failures.
While attacks by hackers are on the rise, the Redspin report attributed just 65 of the data breaches to hackers, 22 percent due to unauthorized access and 35 percent involved stolen laptops and computers containing encrypted data. Eighty three percent of all large breaches involved the theft of devices according to date contained in the report.
Over previous years the attempts of healthcare companies have had a positive effect in reducing unauthorized access and data theft. However, businesses are a particular security weak point, being involved in the majority of large data breaches occurring between 2009 and 2012 although over the past year they have only been involved in ten percent of all data breaches reported.
While not every security breach can be stopped, organizations can take a number of steps to limit the chance for cybercriminals to gain access to data. Education of the staff is important and robust data encryption software can stop data from being compromised. A regular risk inspection must be carried to ensure that security holes are quickly discovered and plugged as, according to the OCR, It is the lack of a thorough risk assessment which leads to most data breaches.
The OCR is planning on approving random audits to test for HIPAA compliance and there is expected to be a dramatic rise in both the number of HIPAA violations uncovered and the number of HIPAA sanctions issued by the OCR. To date, out of the 90,000 complaints received to date only 17 have lead to in financial penalties being applied.