Keep ePHI off portable devices to secure data: Report

Tools

Data-breach analysis shows portable electronic devices and other easy-to-carry, easy-to-lose items such as CDs and thumb drives pose a growing risk for breaches of personal health information. One consulting group is advising healthcare organizations to avoid storing PHI on those items.

Portable devices, CDs, backup tapes and even X-ray films "may soon pose the greatest risk to [electronic] PHI because they are more prone to loss and theft," the Florida-based accounting and consulting firm Kaufman Rossin & Co. says in a new white paper.

"We recommend covered entities discourage employees from storing e-PHI on [such] assets and even computers unless necessary, in which case encryption and/or additional controls should be implemented."

The paper, "HITECH Act Three Years Later: Are Health Records Safe?", analyzes all breaches of electronic PHI reported to the Department of Health and Human Services in calendar years 2010 and 2011. The 407 breaches that affected more than 500 individuals each compromised the PHI of 19.1 million people, with the largest affecting 4.9 million.

Breaches that involved mobile devices, CDs and backup tapes compromised 9.7 million records, the HHS data showed.

The number of breaches fell from 201 in 2010 to 142 in 2011, but nearly twice as many individuals were affected, the Kaufman Rossin analysts noted. Theft and unauthorized access remained the biggest threat in both years.

The decrease in reported breaches indicates organizations have improved security controls and procedures, with email encryption in particular helping reduce the numbers, the authors said. Organizations still should assess their vendor-management programs to reduce the threat of breaches by business associates, train employees on proper disposal of paper records, and evaluate physical security of laptops and computers, the report concluded.

Kaufman Rossin is hoping to change attitudes such as those highlighted earlier this year in a report from the American National Standards Institute, the Santa Fe Group and Internet Security Alliance, which concluded that safeguarding protected health information is too rarely a top priority of healthcare chief information officers and chief executive officers.

The Carpinteria, Calif.-based IT security firm Redspin Inc. concluded earlier this year that unless curtailed, PHI breaches could "derail the implementation, adoption and usage of electronic health records."

To learn more:
- read the white paper
- download the ANSI report (registration required)
- see the Redspin announcement

Related Articles:
OCR reveals HIPAA audit protocol
Report: Data breaches from unencrypted devices up 525% in 2011
Health data breaches cost $6.5B annually