HIPAA Covered entities, including hospitals and physicians who are implementing electronic records with hopes of attaining Meaningful Use and qualifying for federal incentives, are performing a computer security risk analysis, or risk assessment. Conducting regular risk assessments has been a requirement of HIPAA since 2005. However, many organizations have been weak in their compliance. Organizations have additional incentive to comply now, since the meaningful use requirement of conducting a risk analysis per 45 CFR 164.308(a)(1) [the HIPAA Security Risk Analysis requirement] is necessary to earn significant incentive payments. While HIPAA does not prescribe the method or format for this analysis, all methods share the requirement to 1) quantify risk levels, and 2) estimate the impact of availability, integrity or confidentiality failures. A recent study by the Ponemon Institute provides some help for both of these requirements.
First of all, this new study is based on interviews with 72 organizations, primarily hospitals and hospital systems. An average of 4 interviews with different individuals in each organization were conducted. A wide range of health privacy and computer security matters were explored in the study. Some extrapolation to other environments is reasonable but should be done with caution.
One of the key findings was that these organizations experienced an average of 4 data breaches over the last two years, with an average of 2575 lost or stolen records per breach. Among the respondents, 14% had no breach and 29% had 5 or more. The breach is a failure of one of the 3 key objectives: confidentiality.
The following were the root causes of the breaches:
| Cause | % of Cases |
| Lost or stolen device | 49% |
| 3rd Party Snafu | 46% |
| Unintentional Employee Action | 41% |
| Technical Systems Glitch | 33% |
| Criminal Attack | 30% |
| Malicious Insider | 14% |
| Intentional non-malicious employee action | 9% |
The sum of the percentages is greater than 100% because multiple causes may be involved in a single breach.
The organizations were also asked to quantify the impact of the breach. They cited the following factors as impacts:
| Impact | % of Cases |
| Time & Productivity Loss | 81% |
| Brand or Reputation Diminishment | 78% |
| Loss of Patient Goodwill | 75% |
| Loss of Revenue | 41% |
| Cost of Attorney/Legal Fees | 40% |
| Fines/Penalties to Regulators | 26% |
| Lawsuits | 19% |
| No Impact | 16% |
The study detailed a methodology for quantifying the financial impact which requires many assumptions, primarily designed to quantify revenue loss. One piece of hard data provided is that the average legal fees – for all privacy and breach matters – were $249,290 per organization. The sample included primarily hospitals and hospital systems, some of which could be presumed to be large. The study authors projected that lost revenue was likely much higher than these costs.
Key takeaways from this study are that the most likely problems for similar organizations will arise from loss or theft of mobile devices, problems with 3rd parties who can be assumed to be business associates, and unintentional employee actions. All organizations have limited resources – so the value of the risk analysis process is to allocate those limited resources to provide the greatest protection. Investments in data encryption for mobile devices, attention to and scrutiny of the security practices of business associates, and employee training should be prioritized.
Interested readers may download the Ponemon Institute’s study, Second Annual Benchmark Study on Patient Privacy & Data Security. Registration is required for free access. Readers interested in Eagle’s services for risk assessment are invited to explore Eagle’s Risk Assessment Services for Hospitals or Risk Assessment Services for Physician Practices.
