Device theft poses greatest risk for health data breaches

A new report finds that information stored on laptops, smartphones and tablets is the most vulnerable to disappearing.

By — Posted Sept. 18, 2012

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

As physicians prepare to conduct data risk assessments, as required under the Health Insurance Portability and Accountability Act, they may want to take a closer look at their policies and guidelines regarding use of mobile and portable devices.

A recent report by the South Florida accounting firm Kaufman Rossin & Co. found that the total number of breach incidents affecting more than 500 people fell from 212 in 2010 to 145 in 2011. But theft, at 52% of all reported cases, continued to be the top threat, the report found. A significant portion of the thefts were of mobile and portable devices such as laptops, smartphones and tablets (link).

Jorge Rey, director of information security and compliance for Kaufman Rossin and co-author of the report, said the reduction in reported incidents is an indication that health care organizations are doing more to comply with HIPAA security and privacy rules. But the finding that theft was the biggest threat “was concerning, because physical security is usually your easiest area of risk to address,” Rey said.

The intent of the report was to show areas where HIPAA-covered entities, including physician practices, are most vulnerable. They can use the information when they conduct their HIPAA-required risk assessments, and benefit from lessons learned from others, the authors said.

For the report, Rey and his co-author analyzed breaches affecting more than 500 people that were reported to the Dept. of Health and Human Services. As of Dec. 31, 2011, there have been 407 data breach incidents affecting more than 19 million individuals reported to HHS.

Part of the analysis looked at the compromised locations where data went missing. The report authors found that laptops, paper and “other” top the list. “Other” includes mobile devices such as tablets and smartphones.

Theft was the biggest threat to the safety of patients’ health records. For breaches of information on laptops, 95% involved theft; for paper-based breaches, 26% involved theft. And for breaches of “other,” which included mobile devices, 44% involved theft and 42% involved loss. The report authors expect the number of breach cases involving theft and loss to grow as more mobile devices make their way into health care, “because they are more prone to loss and theft.”

In its 2011 annual report to Congress on breaches that occurred in 2009 and 2010, HHS also acknowledged that theft was a big threat. It recommended that HIPAA-covered entities improve physical security of devices. It also recommended training and retraining employees, and imposing sanctions against those who violate policies and procedures, “primarily in response to serious employee errors, removing protected health information from the facility against policy, and unauthorized access.”

Third-party breaches

Another important finding, Rey said, is that not enough attention is paid to business associate agreements during a risk analysis.

The report found that one in five breaches occurred at a business associate, which is a person or organization that handles health information given over a so-called covered entity — a physician practice or organization providing care. An EHR vendor is an example of a business associate. “At the end of the day, the covered entity has the responsibility for this data, so when they give the [personal health information] to the vendor, the covered entity continues to be responsible for that data as if it was themselves. And that’s the piece I don’t think a lot of covered entities have really understood or made the connection with,” Rey said.

Risk assessment needs to go beyond a physician practice simply asking their vendors if they are HIPAA compliant, Rey said. Vendors will say yes, “but what does that mean?” he asked.

Many practices think they are HIPAA compliant when they are compliant with only the privacy piece, such as getting patients to sign privacy disclaimers and giving copies of their policies to patients, Rey said. They miss the other part of HIPAA that covers security and the rules of Health Information Technology for Economic and Clinical Health Act on breach notification requirements, he said.

Physician practices should be asking their business associates to show them their own internal risk assessment reports. And if they can’t provide them, “that should raise some concerns,” Rey said.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn