California Attorney General Kamala D. Harris released a report last year on the Sunshine State's data breaches which occurred in 2013. The Data Breach Report sheds light on California's growing problem of cybersecurity in the healthcare industry. According to Harris, the majority of healthcare disclosures were caused by stolen hardware or devices, attesting to the need for greater security amongst doctors, physicians, dentists, chiropractors and other covered entities under the Health Insurance Portability and Accountability Act (HIPAA).
As noted in the report, California is ranked as the world's eighth largest economy, with more 38 million consumers within its territorial boundaries. This creates a unique challenge regarding the security of data and Protected Health Information, as massive amounts of data travel through government and public systems on a daily basis. Furthermore, it's believed that the total number of reported breaches in California increased by 28% from 2012 to 2013.
One of the most interesting points of the report involves data breaches in California's healthcare sector. According to the report, a whopping 70% of all data breaches in the healthcare industry were caused or attributed to stolen or lost hardware containing unencrypted PHI. This may consist of old laptops, hard drives, USB flash drives, CDs, DVDs, etc.
“In the health care sector, breaches affected more records than in other industry sectors, with the exception of retail since the two mega breaches of 2013. Many of the health care breaches reported to us are of a type that could be prevented by the strategic use of encryption. Unlike other industry sectors, where computer intrusions caused the majority of breaches, in health care 70 percent of breaches reported in the past two years were the result of stolen or lost hardware or digital media containing unencrypted personal information,” wrote the report.
So, what should healthcare workers do to protect their PHI from being being stolen or lost? HIPAA outlines several key elements in its Security Rule which pertain to the security of patient records containing personally identifiable information. Amongst other things, healthcare workers should get into the habit of properly disposing of hardware containing PHI. If a computer or hard drive is no longer being used, it should be wiped clean by a professional IT technician. Also, covered entities should consider the use of encryption. While it's not necessarily required in all cases, encryption can make a world of difference in preventing data breaches.