HRCAlerts032917_Data

Almost 60% of healthcare data breaches reported in February 2017 came from individuals within the affected organizations, according to a March 20, 2017, article in Healthcare Informatics. Insiders accounted for 18 of the 31 breaches reported to the Department of Health and Human Services (HHS) in February. Nine of the incidents involved an error committed by the insider, while eight involved insider wrongdoing (one incident could not be classified). A "troubling factor" in the breaches, the article said, is the often long interval between discovery and reporting to HHS; some incidents are not reported for months or years. The incidents reported in February took an average of 478 days from breach occurrence to notification, the article said—dramatically higher than the 174 average days reported in January. In slightly more positive news, while the number of breaches reported to HHS in February was the same as in the previous month, the number of patient records affected by the breaches dropped by 47% (from 388,207 to 206,151). Hacking incidents affecting healthcare facilities accounted for 12% of data breaches in February, a figure that is also lower than in previous months.

HRC Recommends: Every healthcare provider covered by the Health Insurance Portability and Accountability Act (HIPAA) (as well as the provider or organization's business associates) must identify the risks and vulnerabilities with regard to the confidentiality, integrity, and availability of its electronic protected health information, determine what controls are effective in meeting each of the HIPAA security rule implementation standards, assess the effectiveness of its current security efforts, prioritize actions, implement an action plan, monitor effectiveness, and make appropriate changes as reasonably necessary. Risk managers must become familiar with the regulatory requirements regarding health information security and develop a collaborative relationship with the entity's corporate compliance and legal, health information management, information technology, and clinical/biomedical engineering departments, as well as with the health information privacy officer and security officer(s) and the human resources and education departments.

Topics and Metadata

Topics

Health Information Privacy; Health Information Technology; Security/Safety; Quality Assurance/Risk Management

Caresetting

Hospital Inpatient; Physician Practice; Skilled-nursing Facility

Clinical Specialty

Roles

Healthcare Executive; Regulator/Policy Maker; Risk Manager; Security Personnel

Information Type

News

Phase of Diffusion

Technology Class

Clinical Category

UMDNS

SourceBase Supplier

Product Catalog

MeSH

ICD 9/ICD 10

FDA SPN

SNOMED

HCPCS

Disease/Condition

Publication History

Published March 29, 2017

Who Should Read This

Administration, Business office/finance, Health information management, HIPAA privacy officer, HIPAA security officer, Information technology, Risk manager, Security

Areas of Focus

Featured Memberships & Services

The Data Breach May Be Coming from Inside the Organization