Tripathi decided to use the incident as an educational experience for others, as a lengthy post on the HIStalk Practice blog and subsequent interview with The New York Times suggest. "This kind of detail just doesn't get out there," he says.
It should. A recent analysis of healthcare data breaches by the Health Information Trust Alliance ( HITRUST) finds that incidents such as the MAeHC breach-involving lost or stolen and unencrypted laptops-remain all too common in the healthcare industry despite new rules that dramatically increase fines for data breaches.
All told, theft and loss account for 66% of the breaches of 500 or more patient records, and 82 of the total records lost, that have occurred since September 2009, the HITRUST report notes. Small physician practices, which make up the vast majority of healthcare organizations in the United States, are particularly vulnerable, the report says: "This industry segment is struggling and requires significant assistance due to a lack of available expertise and resources."
In an interview, Christopher Hourihan, principal research analyst with HITRUST, says small practices should focus on the basics, including training, encryption, firewalls and antivirus software-the same technology that savvy users have on their home networks. "Don't try to do anything all at once," he says. "Focus on the critical areas first and expand the program that way."
Speaking at the Privacy Security Forum, Leon Rodriguez, director of the Office for Civil Rights, agrees that encryption technology is key to avoiding breaches. (Under 2009's HITECH Act, the loss of encrypted PHI, or of encrypted hardware that contains PHI, is not considered a data breach.) Training matters, too, he adds, as there is always "some human frailty" to a data breach that's unrelated to technological vulnerabilities.
HIPAA Business Associates, Hackers Need an Organization's Careful Attention