The Primary Threats to Data Breaches of Protected Healthcare Information (PHI)

Despite the fact that the Health Insurance Portability and Accountability Act (HIPAA) has been implemented since 1996, a lot of data breaches have still occurred in the healthcare industry. According to the web site of, there have been 1,083 occurrences of unsecured protected health information data breach affecting 500 or more from July 2009 to July 2014. The number of affected individuals from those breaches has reached to over 33Million in that time frame.

Redspin’s 2013 Breach Report shows that theft was the largest cause of Protected Healthcare Information (PHI) related breaches by an overwhelming margin. Stolen devices made up over 45% of incidents reported and impacted 83.2% of the patient records that were breached, as shown below.

Cause of Breach# of breaches% of total breaches# of records% of total records
Unauthorized Access4422.1%313,3534.4%
Improper Disposal84.0%288,1674.1%
Hacking IT Incidents126.0%118,3941.7%

(source: Breach Report 2013: Protected Health Information(PHI),

In Ponemon Institute’s Fourth Annual Benchmark Study on Patient Privacy & Data Security in 2014, 49% of respondents answered that lost or stolen computing device was the largest cause of PHI breaches in 2014. Respondents were allowed to make more than one choice and the other categories were as follows: unintentional employee action (46%), third-party snafu (41%), criminal attack (40%), technical systems glitch (32%), malicious insider (12%), and intentional non-malicious employee action(8%).

As shown by the two studies, lost or stolen computing devices are the biggest threat for PHI. To exacerbate the situation, personal mobile devices such as laptops, tablets, and smartphones have been widely allowed for work use. Employees are also able to freely access confidential data in cloud storage systems using the internet and while, it may be more convenient and save on paying for devices, it also means that a lot of confidential data is now stored in personal mobile devices or laptops, which can be gathered from the cloud, and then mobilized.

Even though employees are being allowed a lot of freedom with using confidential data on many different platforms, many believe that employees are actually one of the largest data security risks. According to SANS October 2013 Inaugural Health Care Survey, 65% of respondents identified the risk posed of negligent insiders as their biggest concern and 39% of them said that mobile devices and media as their 4th biggest concern. Though this result looks different from the previous two surveys, it is apparent that mobile devices along with negligent workers could be the biggest threat to data security.

These studies show that the device, the user, and the data should be careful managed and protected in order to prevent breach. Data breaches can be significantly reduced by using technology such as encryption, regulating user access rights, and managing devices can allow for a safer environment. In order to have the full protection of data, the right technology and regulations must be implemented and data should be protected throughout its entire life cycle so that it can be protected at every stage of its existence.

Blogs relating to HIPAA

Data Destruction for HIPAA Compliance
Ways to Prevent HIPAA Data Breach by Insiders
Insiders: the Most Frequent Reason for HIPAA Data Breach
The Costs of Data Breaches and Violation against HIPAA 


The Three Safeguards of the HIPAA Security Rule Summarized

The electronic age has taken over healthcare. Viewing patient information on clipboards with manila folders are now being seen behind a screen, partly thanks to the American Recovery and Reinvestment Act of 2009 (ARRA), specifically the Health Information Technology for Economic and Clinical Health Act (HITECH) pushing for the conversion of patient health information (PHI) to electronic records by this year (2014).
Unfortunately, the accelerated transition into digital technology brought forth concerns for protecting electronic patient health information (ePHI). In order to mitigate the data security risks associated with ePHI, the Health Insurance Portability and Accountability Act (HIPAA) helps enforce a set of compliance rules and regulations for healthcare providers. Yet, despite these regulations, healthcare providers are having issues preventing HIPAA violations which can affect the overall quality of patient care.
Read: HIPAA explained by U.S. Department of Health & Human Services

Security Rule and the Privacy Rule
The HIPAA compliance rule is comprised of two main rules: The Security Rule and the Privacy Rule. The two rules go hand in hand in protecting PHI but have their distinct differences. The Privacy rule focuses more on the individual’s right to use their personal information and covers the confidentiality of PHI whereas the Security rule is focused on the three separate safeguards for protecting ePHI and is based on the fundamental concepts of flexibility, scalability, and technology neutrality. So, in regards to the advancement of medical technology, in order to set up a secure environment for healthcare providers when handling ePHI, the Security rule aims to regulate data protection procedures by using administrative, physical, and technical safeguards.
Read: More information on the Security Rule
Read: More information on the Privacy Rule

The Three Safeguards of the Security Rule

Administrative Safeguards
“…administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronically protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
The Administrative safeguards cover over half of the HIPAA Security requirements and are focused on the execution of security practices for protecting ePHI. The Administrative safeguards implement policies that aim to prevent, detect, contain, as well as correct security violations and can be seen as the groundwork of the HIPAA Security Rule. By laying down a solid security foundation in regards to security management processes, assignment of responsibility, enforcement of workforce security, information access, training, as well as plans and protocol in the event where a breach does occur, the covered entity can be better prepared, thus reducing the impact or preventing breaches altogether.
Read: Administrative Safeguards for HIPAA from HHS

Physical Safeguards
“…physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
Physical safeguards are the implementation standards to physical access to information systems, equipment, and facilities which can be in reference to access to such systems in and out of the actual building, such as the physician’s home. The physical safeguard covers facility access to information systems and equipment, workstation use and security, and management of certain media devices that may contain ePHI. Physical safeguards are in place to work with the Administrative and Technical safeguards so that the covered entity can place specific procedures in place to protect electronic information systems, building facilities, and equipment.
Read: Physical Safeguards for HIPAA from HHS

Technical Safeguards
“…the technology and the policy and procedures for its use that protect electronically protected health information and control access to it.” One of the fundamental concepts of the HIPAA security rule is technology neutrality, meaning that there are not specific technologies that must be adopted. It is up to the covered entity to adopt security technology that is reasonable and appropriate for their specific situation. The Technical safeguards cover access control, auditing controls, maintaining information integrity, entity authentication and security during transmission of ePHI. The Technology safeguards apply to all ePHI and are in place to protect and control access to ePHI while simultaneously allowing flexibility for covered entities to select technology that is best suited for their situation since healthcare providers come in all different shapes and sizes.
Read: Technical Safeguards for HIPAA from HHS

The Double-edged Sword
The HIPAA Security Rule is in place in order to protect patient information from the inherent security risks of the digital world. New technology may allow for better efficiency which can lead to better care for patients but it is a double-edged sword. Though HIPAA was put in place to protect patient information and create a solid foundation for a secure environment, the regulations are often difficult to follow which can end up costing the covered entity. The covered entity must find help in being HIPAA compliant and limiting breaches by assessing their own security needs, receiving security consultation, and finding appropriate technology.

Blogs relating to HIPAA

Data Destruction for HIPAA Compliance
Ways to Prevent HIPAA Data Breach by Insiders
Insiders: the Most Frequent Reason for HIPAA Data Breach
The Costs of Data Breaches and Violation against HIPAA
The Primary Threats to Data Breaches of Protected Healthcare Information(PHI)