HHS Report of Breaches, 2011-2012, Part #2
The U.S. Department of Health and Human Services (HHS) recently submitted their Annual Report to Congress on Breaches of Unsecured Protected Health Information (PHI), for the calendar years 2011-2012. We blogged previously about the major breaches (those affecting 500 individuals or more) and their causes.
Looking at location of the PHI that was breached can give further insight for a risk analysis.
In 2011, the breakdown was as follows:
2012 saw similar results in terms of the location of the PHI breached:
The lessons to be learned here are:
- Paper records still account for a surprisingly big percentage of large breaches, 23% in 2012. Paper PHI needs to be secured. Ongoing training programs must be established to continually train employees on the organization’s privacy and security policies and procedures, including the appropriate uses and disclosures of PHI.
- Security and control of portable electronic devices is a key component of your organization’s risk management plan. Taken together, these two categories are the most common breach location, at 36% in 2012. Use encryption, use a mobile device management system, have clear policies and procedures that govern the receipt and removal of portable electronic devices and media containing PHI from a facility, as well as that provide how such devices and the information on them should be secured when off-site.
- Reduce the locations that store PHI. Start with an inventory of your PHI. Consolidate your PHI wherever possible. Avoid storing PHI on desktop computers.
- Encrypt, encrypt, encrypt. As mentioned above, encryption is important for mobile devices – however, as the statistics show, it is prudent to explore encryption options for desktops (if PHI must be stored on them) and databases on servers. Make sure a secure email solution is used so that email is encrypted. Best practice is to use a filter that will detect if PHI is included in the email and automatically encrypt.
