aerial view of forestAs the calendar year turned there were several great posts highlighting lessons learned in 2016 from notable HIPAA breaches and enforcement actions.  It’s also useful to climb up out of the trees and view the forest.  The HHS Office of Civil Rights publishes information each year on reported HIPAA security breaches affecting 500 or more persons, and this database offers a unique, multi-year dataset on such breaches of protected health information.

Here’s a forest-altitude look at significant HIPAA breaches suffered by healthcare providers (setting aside health plans and clearinghouses), looking for key trends emerging during the five years from 2012 to 2016.

Trend #1: Provider breaches are on the rise, both in frequency and number of affected persons.

Annual totals of provider breaches rose steadily over the last five years, from 147 in 2012 to 248 in 2016, a 170% increase.  And the number of persons affected by provider breaches increased more than eightfold, from 1.4 million in 2012 to over 12 million last year.

Trend #2: Provider breach types are shifting, with device loss/theft down, unauthorized access up, and hacking way, way up.

The last five years reveal clear movement in the prevalence of different breach types.  Improper PHI disposal by providers remained essentially level from 2012 to 2016, in single digit percentages for both type of breach and persons affected (other than an anomalous 2014 provider incident involving the loss of over 28 thousand patient records).

Loss of laptops and other devices dropped in the annual mix of breach types, from 10% of provider breaches in 2012 to 5% in 2016.  And theft fell steadily and significantly, from 66% of the 2014 provider breaches (57% of affected persons) down to only 19% for 2016 (7% of affected persons).  Why the decrease?  Reasons likely include better organizational control over devices and PHI generally, increased workforce security awareness, and more widespread use of device encryption.

But other provider breach types trended relentlessly upward.  Unauthorized access/disclosure grew from 15% of provider breaches in 2012 to 36% in 2016.  And that pales in comparison with hacking, which rose from 10% of the 2012 provider breaches to 38% in 2016.  Because of the heavy PHI-load of hacked systems and servers, the persons affected by hacking skyrocketed from 8% for the 2012 provider breaches to 78% in 2016 – more than three-quarters of the 12 million+ individuals whose PHI was compromised in the 2016 provider breaches.

Trend #3: The location of providers’ compromised PHI has also shifted, with devices down, EMR up, and email and servers way, way up.

The locations of breached PHI for providers similarly shifted over the last five years.  Breaches of PHI in desktop computers stayed essentially flat, with percentages fluctuating in the low teens for both total breaches and persons affected, as did breaches of hardcopy records (paper or film), with percentages hovering in the low twenties for total breaches and persons affected.

Mirroring the downward trend for loss and theft as provider breach types, laptops as the location of compromised PHI dropped from 25% in 2012 (29% of affected persons) to 8% in 2016 (6% of affected persons).  And other devices as the location of breached data followed suit, plunging from 15% of the 2012 breaches (10% of affected persons) to 7% in 2016 (less that 1% of affected persons).

Yet, consistent with the five-year shift in breach types, network system ePHI is increasingly in the bulls-eye.  Electronic medical record systems as the location of compromised PHI rose from 5% of the 2012 provider breaches to 14% in 2016.  Email surged from 3% of the 2012 provider breaches to 15% in 2016.  And servers became ground zero in provider breaches, growing from 14% of the 2012 breaches (12% of affected persons) to 31% last year (76% of affected persons).

Takeaways

The war of HIPAA security is largely fought by health care providers at tree-level.  But a five-year forest-level view is instructive:

  1. Now is not the time for complacency – HIPAA breaches are on the rise, and the attack vectors and targeted locations are evolving.
  2. Laptop and portable device safeguards remain crucial – though loss and theft have clearly declined in comparison to other breach types, it’s also fair to say that their numbers for breach incidents and persons affected have simply been overwhelmed by increases in hacking.  The fundamentals of effective device policies and controls may be old-school, but they remain important.
  3. The new battleground is hacking, both technological intrusions and also phishing and other social engineering.  The five-year breach trends call for new-school provider priorities to safeguard EMR systems, messaging, and network storage.