Health care organizations in California have filed over 800 reports of breaches this year since new law came into the effect, according to a report in the Journal of the American Health Information Management Association (AHIMA).
Senate Bill 541 and Assembly Bill 211, which passed last year, require health care organizations to begin reporting any unauthorized access to records to the California Department of Public Health (CDPH).
The resulting notifications quickly overwhelmed regulators, according to the AHIMA report.
“CDPH received 823 breach incident reports from January 1 to May 31, the latest numbers available. Of those cases, 122 have received a full investigation, with 116 confirmed as breaches. There were 232 cases that had ongoing investigations, and 469 reported breaches were pending an investigation,” according to AHIMA.
One factor causing an unexpected volume of breach reports is that the new laws have changed the definition of a breach to include any inappropriate data access.
“The types of reported breaches vary from unintentional breaches, such as faxing a patient’s chart to the wrong Dr. Jones, to facility employees purposefully snooping in a patient’s record,” AHIMA reported.
But the threat cannot be discounted even if some incidents are without malice.
“A lot of attacks we see in future will be based on an insider within an organization having access to information versus a sophisticated attack from outside in,” Bill Mann, senior vice president of CA’s security management unit, told InternetNews.com.
They need not be upper management in order to do damage. In June, the FBI arrested a man who had been working as a security guard at the Carrell Clinic in Texas and charged him with accessing confidential patient information.
Vulnerabilities exist because health care institutions are not defending against the insider threat, according to Mann.
Medical ID theft is especially prevalent, according to David Ting, CTO and founder of enterprise access management provider Imprivata.
“When the federal government last researched the issue in 2007, more than 250,000 Americans reported that they were victims of medical identity theft,” Ting said in a blog post. “Since that last report, most experts agree the problem has undoubtedly grown, in part because of the growing use of electronic medical records built without extensive safeguards.”
“To exacerbate the situation, cleaning up after medical ID theft can be hindered by [HIPAA
Such theft can impact a victim’s credit rating, finances and even their health, according to Ting.
“More important than the financial impact is the potential impact on the health care or treatment a victim receives,” he added. “Once a medical ID is stolen and used to receive treatment, the medical records can now contain erroneous medical history information. This can lead to a fatal mistake in an emergency care situation.”
Poor security practices
For observers, California’s deluge of breach reports also signifies another core problem with many large enterprises.
“What we see as a vendor in this space is that people tend to worry about the bells and whistles but they don’t worry about the core aspects of security, especially with regard to data,” CA’s (NASDAQ: CA) Mann said.
He explained that organizations know they need to have a firewall but often lack a system for monitoring access to data. “They don’t monitor the people who log on to machines,” he said.
This problem is exacerbated when long term employees accumulate access credentials as they progress in their career through various job functions. “We provide security products that … ensure that people are doing what they’re supposed to do,” Mann said.
CDPH spokespeople were not available for comment by press time.