Device theft poses greatest risk for health data breaches

As physicians prepare to conduct data risk assessments, as required under the Health Insurance Portability and Accountability Act, they may want to take a closer look at their policies and guidelines regarding use of mobile and portable devices.

A recent report by the South Florida accounting firm Kaufman Rossin. found that the total number of breach incidents affecting more than 500 people fell from 212 in 2010 to 145 in 2011. But theft, at 52% of all reported cases, continued to be the top threat, the report found. A significant portion of the thefts were of mobile and portable devices such as laptops, smartphones and tablets (

Jorge Rey, director of information security and compliance for Kaufman Rossin and co-author of the report, said the reduction in reported incidents is an indication that health care organizations are doing more to comply with HIPAA security and privacy rules. But the finding that theft was the biggest threat “was concerning, because physical security is usually your easiest area of risk to address,” Rey said.

The intent of the report was to show areas where HIPAA-covered entities, including physician practices, are most vulnerable. They can use the information when they conduct their HIPAA-required risk assessments, and benefit from lessons learned from others, the authors said.

For the report, Rey and his co-author analyzed breaches affecting more than 500 people that were reported to the Dept. of Health and Human Services. As of Dec. 31, 2011, there have been 407 data breach incidents affecting more than 19 million individuals reported to HHS.

Part of the analysis looked at the compromised locations where data went missing. The report authors found that laptops, paper and “other” top the list. “Other” includes mobile devices such as tablets and smartphones.

Theft was the biggest threat to the safety of patients’ health records. For breaches of information on laptops, 95% involved theft; for paper-based breaches, 26% involved theft. And for breaches of “other,” which included mobile devices, 44% involved theft and 42% involved loss. The report authors expect the number of breach cases involving theft and loss to grow as more mobile devices make their way into health care, “because they are more prone to loss and theft.”

In its 2011 annual report to Congress on breaches that occurred in 2009 and 2010, HHS also acknowledged that theft was a big threat. It recommended that HIPAA-covered entities improve physical security of devices. It also recommended training and retraining employees, and imposing sanctions against those who violate policies and procedures, “primarily in response to serious employee errors, removing protected health information from the facility against policy, and unauthorized access.”

Third-party breaches
Another important finding, Rey said, is that not enough attention is paid to business associate agreements during a risk analysis.

The report found that one in five breaches occurred at a business associate, which is a person or organization that handles health information given over a so-called covered entity — a physician practice or organization providing care. An EHR vendor is an example of a business associate. “At the end of the day, the covered entity has the responsibility for this data, so when they give the [personal health information] to the vendor, the covered entity continues to be responsible for that data as if it was themselves. And that’s the piece I don’t think a lot of covered entities have really understood or made the connection with,” Rey said.

Risk assessment needs to go beyond a physician practice simply asking their vendors if they are HIPAA compliant, Rey said. Vendors will say yes, “but what does that mean?” he asked.

Many practices think they are HIPAA compliant when they are compliant with only the privacy piece, such as getting patients to sign privacy disclaimers and giving copies of their policies to patients, Rey said. They miss the other part of HIPAA that covers security and the rules of Health Information Technology for Economic and Clinical Health Act on breach notification requirements, he said.

Physician practices should be asking their business associates to show them their own internal risk assessment reports. And if they can’t provide them, “that should raise some concerns,” Rey said

Click here to view Jorge Rey’s comments.


Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.