MDNews - Minnesota

was the No. 1 cause of smaller breaches both years. Healthcare entities that were victims of breaches a f fe c t i ng at lea st 50 0 people reported ta king a variety of corrective steps, including revising electronic and physical security pro- tocols, encrypting electronic records, conducting risk analyses, training or retraining employees, and strengthen- i n g s e c u r it y prov i sion s i n vendor contracts. OCR investigated all large breaches and certain small ones. As of the end of 2013, seven organiza- tions had instituted plans to prevent future breaches and made payments t o O C R r a n g i n g f rom $5 0,0 0 0 t o $1.7 million as part of agreements to resolve the investigations. Protecting Your Organization To prevent a breach at your hospital or prac t ice, ex per t s say, you must f i r s t p e r f o r m a r i s k a n a l y s i s t o ident i f y you r org a n i z at ion's a rea s of vulnerability. "You need to inventory your assets; identif y and assess the people, pro- cesses and technolog y controls you have in place; a nd use a stoplight system to categorize areas as green [low-risk], yellow [moderate-risk] and red [high-risk]," says Ricky Link, CISA, CISSP, QSA, Managing Director of the Southwest Region for Coalfire Systems, Inc., a Colorado-based IT governance, r i sk a nd compl i a nce f i r m . " Ne x t , develop a project plan, secure funding for it, and then work to address high- risk problems first. If organizations follow that process, they'll take care of 80 percent of the issues reported in the OCR breach report." When it comes to identif ying and understanding your company's areas of risk for breach, picture a target, Link recommends. The bull's-eye is your organization's most sensitive data. "The next ring out is the application layer, where users are inserting, updating and deleting data that resides in the bull's-eye," he says. "The application is connected to the database — the next layer. Then you have an operating system, which resides in a network; the network, in turn, is in a computer data facility. Each of those layers is important and requires specifi c controls to manage it." Encrypting your data and training your employees in HIPAA compliance are two of the most effective breach prevention strategies, according to Jeremy Henley, CHPC, Director of Breach Ser v ices for ID Experts, a n Oregon-based data privacy, security and breach response company. " Those t wo things a ren't terribly expensive, but they get put on the back burner; both will help you cut risk significantly," Henley says. "A lesson that emerged from the OCR report is that if your organization isn't breached and subsequently investigated, OCR might still investigate your company at random [perform an audit]. You need to document that you're performing a ssessment s, creat ing policies a nd implementing t he technolog y your policies say you have." In addition, do not forget to require your business associates to take secur- ing PHI as seriously as you do. "I think the next OCR report will probably focus on issues related to business associates …," Henley says. "A lot of healthcare organizations have started to implement risk assessments, security policies, employee training and mobile device encryption; what they haven't been able to do yet is ensure their business associates do the same things." ■ INTO THE BREACH HERE ARE SOME key fi ndings from the U.S. Department of Health and Human Services Offi ce for Civil Rights' (OCR) 2014 "Annual Report to Congress on Breaches of Unsecured Protected Health Information," covering the years 2011 and 2012: + In 2011, healthcare provider breaches accounted for 150 of the 236 breaches affecting 500 or more individuals. However, breaches of business associates accounted for a majority — 64 percent — of the individuals affected by large breaches that year. A majority of unsecured protected health information (PHI) in large breaches in 2011 was stored on paper. + Healthcare providers reported 150 breaches affecting at least 500 individuals each in 2012 — 68 percent of the total 222 breaches. Business associates reported 55 large breaches that year. The top entity for large breaches in 2012 in terms of individuals affected was healthcare providers at 49 percent; business associates were a close second at 42 percent. Twenty-seven percent of compromised PHI in large breaches that year originated from laptop computers, which surpassed all other storage loca- tions for breaches. + Loss of backup tapes by a business associate led to the largest breach in 2011, which affected approximately 4.9 million people. The largest breach in 2012 occurred when hackers attacked an organization's unencrypted network server and gained access to approxi- mately 780,000 individuals' PHI. M D N E W S . CO M ■ MD NEWS Minnesota | 1 3

• Cover