Medical data breaches most often caused by theft

The best defense physician practices can take against data breaches might be to keep a more watchful eye for thieves.

The Health Information Trust Alliance in August published an analysis of the 108 breaches that were reported to the Dept. of Health and Human Services from Sept. 23, 2009, to mid-July. The study found that the only type of breach experienced by every industry sector -- and often the biggest cause of a breach -- was theft. Health plans and physician practices were the biggest targets.

The analysis found that 68 of the 108 reported breaches were the result of theft. Of those thefts, 24 were at physician practices and involved a total of 318,478 patient records (link).

Most commonly, laptops and removable devices -- such as disk drives and thumb drives -- were stolen.

"What the HHS data tells us ... is that this specific segment, physician practices, should make laptop/mobile device protection the No. 1 priority from a security perspective, but this should be one item on a list of many," said the study's author, Christopher Hourihan.

Health care organizations and their business associates are required by federal law to report breaches that affect more than 500 people to HHS and the media.

The report cites a 2009 study by the Ponemon Institute that placed the average cost of security breaches at $204 per medical record -- $144 in indirect costs, such as lost business, and $60 in direct costs, such as setting up credit monitoring for victims.

The report found that the cost of a security breach has gotten more expensive each year since 2005, when it was estimated at $138 per record.

In addition to better vigilance when it comes to securing laptops and mobile devices, Hourihan said practices should consider investing in encryption technology. Encryption is considered the safe harbor for data breaches. Encrypted data require no outside notice because the risk of the data being accessed is very low, according to revised rules from the Health Insurance Portability and Accountability Act.

"From a notification and compliance perspective, if these devices were all encrypted, the cost of someone taking a device would be no more than the cost of replacing the device and initial cost of the encryption solution," Hourihan said "However, when you factor in the average cost of notification due to a breach, which is a requirements of HHS, the ROI [return on investment] is in favor of an encryption solution."