SlideShare une entreprise Scribd logo

Redspin PHI Breach Report 2012

Redspin, Inc.
Redspin, Inc.

The document provides a summary and analysis of data breaches of protected health information (PHI) reported to the Department of Health and Human Services from 2009 to 2012. Some key points: - There were 538 large breaches affecting over 21 million patient records since 2009. - In 2012, there were 146 breaches affecting over 2.4 million people, though this was a significant decrease from previous years. - Theft and loss of devices like laptops and backup disks accounted for many breaches, though hacking incidents increased in 2012 with one breach affecting 780,000 records. - Breaches involving business associates, who are now directly liable under new rules, have impacted over 12 million patient records in total since

1  sur  17
Télécharger pour lire hors ligne
Breach Report 2012 Protected Health Information February 2013 © Redspin, Inc. Page 1
Table of Contents 3……………………Executive Summary 4……………………By the Numbers 5……………………Discussion of Results 12………….……….Conclusion and Recommendations Appendix: 16………….…….….HIPAA Omnibus Rule Highlights Figures and Tables: Table 1 Top 5 PHI Breaches, 2012 p.5 Table 2 Total Large PHI Breaches, Records Impacted, 2010-2012 p.7 Table 3 Total Large PHI Breaches/Records Impacted Involving Business p.9 Associates, 2010-12 Table 4 PHI Data Breach By Source/ Device p.11 © Redspin, Inc. Page 2
Executive Summary A total of 538 large breaches of protected health information (PHI) affecting over 21.4 million patient records1 have been reported to the Secretary of Health and Human Services (HHS) since the August 2009 interim final breach notification rule was issued as a part of the Health Information Technology for Economic and Clinical Health (HITECH) Act. To prepare for our 3rd annual Breach Report / Protected Health Information, we spent weeks reviewing the complete statistical data set of breaches reported to HHS since 2009. Based on our analysis, we’ve prepared an objective assessment of the overall effectiveness of the policies and controls that have been put in place to safeguard protected health information. By identifying significant trends and drawing attention to specific areas in need of improvement, we hope to help the healthcare industry improve its ability to protect patient information. That is our goal. To that end, we’ve included Redspin’s recommendations for preventive measures and corrective action to address the most critical weaknesses. 1 These numbers include breaches that affected >500 individuals and were reported to HHS from August 2009 to January 17, 2013. Those that impacted less than 500 are also reported to the HHS on an annual basis but the specifics are not made publicly available. © Redspin, Inc. Page 3
By the Numbers 538 breaches of protected health information (PHI) 21,408,505 patient health records affected 21.5% increase in # of large breaches in 2012 over 2011 but… a 77% decrease in # of patient records impacted 67% of all breaches have been the result of theft or loss 57% of all patient records breached involved a business associate 5X historically, breaches at business associates have impacted 5 times as many patient records as those at a covered entity 38% of incidents were as a result of an unencrypted laptop or other portable electronic device 63.9% percent of total records breached in 2012 resulted from the 5 largest incidents 780,000 number of records breached in the single largest incident of 2012 © Redspin, Inc. Page 4
Discussion of Results In recent years, IT security has risen to the level of enterprise risk in many industries. Data breaches can cause significant financial harm, reputational damage, and loss of consumer confidence. In healthcare, that risk is not limited to an individual hospital or business associate. It is an industry-wide threat to the continued adoption of electronic health records – the foundation for improving cost efficiency, care delivery, and patient outcomes within the U.S. healthcare industry. Quite a Handful. 146 breaches of protected health information affecting 2,413,397 individuals were reported to HHS in 2012. The top 5 incidents were particularly egregious, contributing nearly two-thirds of the total number of patient records exposed during the entire year. In striking contrast from previous years, there was little similarity in the root causes among this year’s “top 5” breaches. From a malicious hack, to lost back-up disks, to an email containing hundreds of thousands of patient records, these incidents highlight the breadth and complexity of the IT security challenge facing healthcare providers today. Table 1: Top 5 PHI Breaches, 2012 INDIVIDUALS TYPE OF BREACH LOCATION OF BREACHED COVERED ENTITY AFFECTED INFORMATION Hacking/IT Utah Department of Health 780,000 Incident Network Server Emory Healthcare 315,000 Unknown Backup Disks South Carolina Department of Unauthorized Health and Human Services 228,435 Access/Disclosure Email Alere Home Monitoring, Inc. 116,506 Theft Laptop Electronic Medical Memorial Healthcare System 102,153 Theft Record © Redspin, Inc. Page 5
The hacking incident at the Utah Department of Health is of particular concern. Given the richness of the personal data that PHI contains, hackers are often mentioned as a potential threat to PHI. Yet, from 2009 to date, hacking has contributed to roughly 6% of data breaches, both in number of incidents and number of individuals affected. Many people have been surprised at this low incident rate, perhaps to the point of complacency. Others speculate that a significant number of smaller “hacks” have gone undetected. But the magnitude of the Eastern European-based attack on the State of Utah should end any complacency. The hackers exposed claims data for 780,000 Medicaid and Children’s’ Health Plan recipients. As a result, the State IT Director was fired. Recently, a new Utah Senate bill was put forth requiring that its Department of IT Services assemble a team of experts to ensure that security “best practices” are followed. The proposed law also includes a requirement for an audit of the department every two years. In Redspin’s opinion, hacker attacks are likely to increase in frequency over the next few years. Personal health records are high value targets for cybercriminals as they can be exploited for identify theft, insurance fraud, stolen prescriptions, and dangerous hoaxes. We expect that the low incidence rate of hacking during the past few years was the calm before the storm. It is crucial for healthcare providers to “up their game” when it comes to security defenses. The proposed Utah state law cites best practices but is short on specifics. We’d recommend every health provider conduct an annual IT security risk analysis and implement even more frequent penetration testing and vulnerability assessments. Some Signs of Improvement. In 2012, the incidents of large PHI breaches increased by nearly 21%. However, it’s not all bad news. The corresponding total number of patient records impacted dropped dramatically – a whopping 77% decrease year over year. While 146 breaches affecting over 2.4 million people might not sound like success, it is a significant improvement. © Redspin, Inc. Page 6
Table 2: Total Large PHI Breaches and Records Impacted, 2010-2012 PHI Breaches Affecting > 500 Individuals 2010 2011 2012 Total # of Incidents Reported 258 121 146 Total # of Patient Records Impacted 8,313,517 10,684,591 2,413,397 We believe the privacy and security safeguards envisioned in the HITECH Act, implemented and enforced by HHS, CMS and OCR, and recently codified in the HIPAA Omnibus Rule are having a positive impact. Consider the number of covered entities that conducted a HIPAA Security Risk Analysis in the latter half of 2011 and throughout 2012. Redspin alone helped nearly 100 hospitals meet the security risk analysis requirement of Meaningful Use Core Measure14. During the same time period, OCR began to wield its enforcement authority, publicly announcing several high profile investigations that resulted in breach resolution agreements. Financial penalties have been assessed per the increased levels under the interim Breach Rule. OCR also launched its HIPAA Audit Program and, although they audited only about 100 covered entities, the possibility that any covered entity could be on their future audit list, brought the program home to all. As one hospital CIO said to us: “We’d rather have OCR come in and do their audit after Redspin has helped us conduct a security risk analysis, so they can see we haven’t been standing still.” Indeed, the requirement to conduct periodic security risk analysis has been a Federal regulation since the effective date of the HIPAA Security Rule in 2005. Standing still is no longer an option. The HITECH Act, Meaningful Use, and now the HIPAA Omnibus Rule, have all brought the issue of IT security into sharper focus. As we move toward realizing the full promise of electronic health record (EHR) technology, the need for IT security in healthcare has never been so great. When the authors of the HIPAA security rule recommended periodic security risk analysis, the pace of change in healthcare network infrastructure, applications, devices and workflow might have only warranted periodic check-ups. In addition, the threat landscape was © Redspin, Inc. Page 7
much different then. The highest risk to healthcare records was loss from fire or water damage. Even the highest concentrations of paper files stored in archived facilities did not approximate the amount of PHI that could today reside on a single thumb drive. Today’s challenges call for a new ways of thinking about traditional HIPAA risk assessments. IT security is a process not a project. A successful security program is a repetitive cycle of thorough testing, reports of findings, remediation, and retesting. For some aspects of an IT security program, such as policies and procedures, an annual review will be sufficient. But to protect against new or arising threats, monthly or quarterly vulnerability scanning, threat management, and remediation will be needed. A successful security program must also involve employees and business partners. All employees need to be engaged in building a culture of security – a process of internal training, daily reminders, and visual workplace cues. Lastly, the responsibility of PHI security now extends outside the organization. While the Omnibus rule extends compliance with HIPAA security provisions and direct civil liability for breach to business associates and their vendors, covered entities still retain their obligation to ensure that its business associates are safeguarding PHI effectively. Omnibus Arrives – Just in Time? As mentioned above, both covered entities and business associates (BAs) now stand more or less on equal footing (at least from the regulatory standpoint) regarding their responsibility to safeguard PHI from breach. Over the past few years (or perhaps even from the beginning of time), this is an area that has suffered from “woeful neglect,” so to speak. As we have said publicly, "Hospitals clearly need greater visibility and control over how their business partners protect the privacy and security of confidential patient data.” The statistics do indeed bear this out. Since late 2009, 57% of all patient records involved in large-scale PHI breaches have involved a business associate. In raw numbers, that’s 12,110,729 individuals! © Redspin, Inc. Page 8
Table 3: Total Large PHI Breaches/Records Impacted Involving Business Associates, 2010-12 Incidents Total % Records All Records % Involving Breach Involving Impacted by Impacted by Involving BA Incidents BA BA Incident Breaches BA 2010 51 258 19.8% 4,136,397 8,313,517 49.8% 2011 31 121 25.6% 7,078,890 10,684,591 66.2% 2012 22 146 15,1% 895,442 2,413,397 37.0% 104 525 19.8% 12,110,729 21,411,505 56.6% It was against this backdrop that the long-awaited HIPAA Omnibus Rule was publicly announced and published in the Federal Register on January 25, 2013 with an effective date of March 26, 2013 and a compliance date of September 23, 2013. Although promoted as “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” much of the Omnibus Rule is similar to interim regulations published in 2010-2011 as authorized under the 2009 HITECH Act. However, the extension of the responsibility for safeguarding PHI to business associates and their subcontractors is indeed a sea change. Not only must BAs now comply with the HIPAA Security Rules just like their covered entity partners but they can also be held directly and civilly liable for PHI breach. This is a good (albeit late) start but the next steps are even more vitally important. Compliance regulations lose steam over time unless they are aggressively enforced. OCR, though well-intentioned, has a long way to go before they can be in a position to audit any business associates. At best, we’ll continue to see some high profile business associate breach penalties announced in the press. Such negative PR is attention- grabbing but fleeting – it too wanes over time unless there is a consistent driver for maintaining compliance and improving security. © Redspin, Inc. Page 9
So where will improvements in this critical area come from, if at all? Redspin believes that true collaboration between covered entities, business associates, vendors, law firms, and expert security firms will be essential to building a truly secure “chain of PHI custody” with consistent safeguards at every point. Like most challenges to improve the common good, covered entities and BAs should accept joint responsibility and accountability as they are both vested in the same positive outcome. Easy for us to say! But we are not just talk. Redspin has put together a Business Associate Risk Assessment service, including a methodology that helps hospitals evaluate the internal controls of their business associates while building a risk model to determine overall exposure. It serves to initiate a mutually-beneficial exercise as hospitals and BAs can then openly discuss process improvements using a common framework and with the shared goal of protecting PHI. Going Mobile In last year’s report, we noted that 39% of all PHI breaches had occurred on a laptop or other portable device, the easiest type of device for thieves to steal or employees to lose. That trend continued in 2012 (37.7% of total) and we continue to fear the situation is going to get worse before it gets better. What was unusual just 18 months ago in healthcare organizations is now routine. Smartphones, iPads, and other BYOD computing devices now enter the healthcare workplace daily – and go home at night. Forrester Research reports that 37% of information workers are using BYOD at work before policies are even in place. CMS has included a specific call-to-action in Stage 2 meaningful use that reemphasizes the “addressable” requirement in the HIPAA Security Rule governing the encryption of data-at-rest. Why not make this mandatory – at least on portable devices? Stricter policies and more encryption are clearly called for. We suspect the “wiggle room” in the HIPAA Security Rule was kept it tact by CMS, rather than risk that a stricter encryption requirement would delay the pace of Stage 2 attestation. © Redspin, Inc. Page 10
BYOD just makes it worse. With BYOD, the users need to have more say in the matter. Owning the devices creates both a legal and psychological differences regarding usage. Employers and employees must work towards truly mutually acceptable policies or there is a risk, employees will just do what they want. No one has found the ideal solution yet. With Redspin’s mobile device security assessments, we offer a methodology that enables IT management to have increased engagement with their healthcare workers and get their buy-in, while deploying simpler encryption methods and offering more security awareness training. We think this approach has the best chance of success but ultimately, it will be the future breach statistics that tell the tale. Table 4: PHI Data Breach by Source / Device Pre-2012 2012 Laptop and other portable device 151 39.2% 55 37.7% Paper 92 23.9% 31 21.2% Computer 56 14.5% 20 13.7% Server 38 9.9% 15 10.3% Other 18 4.7% 18 12.3% Email 7 2% 4 2.7% Electronic Health Record 6 1.6% 2 1.4% X-Ray 5 1.3% 0 0 Back-up Tapes 4 1% 1 0.6% Hard Drives 3 0.8% 0 0 Mail, Postcards 3 0.8% 0 0 CD 2 0.5% 0 0 Total 385 100% 146 100% Another area to keep a close watch on is unauthorized access. The 3rd largest breach in 2012 occurred at the South Carolina Department of Health and Human Services when an employee (now ex-employee) emailed himself 228,000 patient records. Malicious hackers are not the only group to realize the value of a stolen health record © Redspin, Inc. Page 11
when used for illegal purpose – it may be your own employees. Incidents of insider threat are on the rise and can only be prevented by a comprehensive security program – not a once a year risk assessment but an integrated program of policies, controls, technical safeguards, organizational accountability, enforcement, training, and leadership. Conclusions and Recommendations Four years ago, the Health Information Technology Economic and Clinical Health (HITECH) Act was signed into law to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addressed the privacy and security concerns associated with the electronic transmission of health information through several provisions that strengthened the civil and criminal enforcement of the HIPAA rules. Those provisions have been put into effect through a series of interim rules and enforcement actions, ultimately culminating with the recent publication in the Federal Register of the HIPAA Omnibus Rule. While reserving comment on the piecemeal implementation of privacy and security rules, the 4 year anniversary of HITECH seems a good time to assess how well those provisions have been working. Most importantly, with the Omnibus Rule now in place, let’s look at the most significant security challenges that lay ahead. While the authors of the HITECH Act foresaw the need to strengthen HIPAA privacy and security as an essential and concomitant element of achieving meaningful use of health information technology, they clearly underestimated the complexity of the task. The breach tally speaks for itself – 538 large-scale PHI breaches impacting over 21 million patients, and an additional estimated 60,000 smaller breaches affecting millions more, reported to HHS since the Fall of 2009. So what went wrong? First, IT security is complicated because today’s technology world is incredibly dynamic, the number of endpoints too great. Such hyper-connectedness can lead to a single change creating a multiplicity of new vulnerabilities, oversights, or mistakes. IT security can’t simply be legislated or completely enforced. Policies and © Redspin, Inc. Page 12
enforcement play an important role, but like good parenting, they don’t guarantee results. In HITECH, the Interim Breach Rule, and the Omnibus Rule, much of the focus was put on breach reporting, and indeed, that reporting is an essential part of patient/consumer protection. Patients have a right to know if their confidential health information has been inappropriately disclosed or exposed. But such notifications are, after all, after the fact Patients also have the a priori right to trust that their health information is being appropriately safeguarded. This is why Redspin tells our clients: “Sure we’ll help you meet or maintain HIPAA compliance or attest to Meaningful Use but our real goal is to help you safeguard PHI from data breach.” Since the accelerated deployment of IT in healthcare began, we’ve stressed that security is a foundational element for its successful implementation and adoption. Legislation, programs, policies, or controls that are intended to drive improvements in security must first recognize that effective security is about lowering risk. The aim is not to find and fix all vulnerabilities or eradicate every threat. The goal is to reduce the likelihood of occurrence and limit the potential damages of breach. Looking backward is only useful to the extent it can help better inform our future direction. Starting back in 2009-2010, the healthcare industry was asked to change. Hospitals and other eligible providers were offered huge financial incentives to do so. EHR systems were deployed; providers were encouraged to show “meaningful use” of those systems quickly. Conducting a HIPAA security risk analysis was required under the EHR incentive program – and many interpreted this requirement as pertaining just to the EHR and systems directly connected to the EHR. The problem is that once electronic health records were born, they were bound to find their way onto other devices, into other applications, and even transmitted to other places. The proliferation of portable devices and media within all IT environments that store PHI increase the likelihood of breach exponentially. How many providers included their internal applications in their last HIPAA Security Risk Analysis? How many security assessments of business associates were included in the covered entity’s HIPAA Risk © Redspin, Inc. Page 13
Analysis? Most BAs were not prepared for the responsibility they assume simply by being in possession of PHI – and still aren’t. And what about healthcare workers? Few healthcare employees outside of IT could tell you what their corporate IT security policies are, much less how those actually pertain to their email, laptop, or personal iPhone. Would the average healthcare employee know how to encrypt “data-at-rest.” Was the level of IT security awareness of employees who had access to PHI considered in a HIPAA Security Risk Analysis? These are tall tasks, underestimated four years ago and urgently needed now. We want to help drive the changes necessary in healthcare IT security so that PHI breaches are a rare exception, rather than a once a week news story. In the beginning of this report, we promised recommendations and here they are. Remember we advocate that your mindset be about lowering risk. Focus on reducing the likelihood of PHI breach occurrence and limit the potential damages of those breaches. First, conduct a HIPAA Security Risk Analysis. It is just the starting point… but get started! Redspin preaches that security assessments are not projects but rather part of a continuous process of durable improvements. As such, we believe HSRAs should be conducted on annual or at least bi-annual basis. While a comprehensive security assessment has a shelf life, you’ll be far more secure if you also assume there is an expiration date. Second, implement a regular process for an ongoing vulnerability scanning and remediation, and integrate those reports into your IT security risk assessments. Don’t wait for the HSRA cycle to come around again before doing the vulnerability scanning – use a monthly or quarterly schedule so that you can compare results and see what you’ve fixed, what you haven’t, and what new vulnerabilities may have arisen. If you don’t have the resources to do this yourself, Redspin has an automated service that can do it for you. © Redspin, Inc. Page 14
Third, insist on encryption of data on all portable devices. Just do it! Lost or theft of unencrypted portable devices has made up over a third of all large breaches to date. We recognize that there are still significant hurdles – clumsy technology, budgetary constraints, and user-training needs. As painful as they may be, they don’t compare with the pain of a major breach incident due to a lost device chock full of PHI. The costs of forensics, reparations, attorney’s fees, an OCR investigation/civil penalty, potential class action lawsuits, and negative publicity can easily run into millions and millions of dollars. Fourth, business associates have accounted for 57% of all patient records breached since we started the tally.. We recommend hospitals conduct a specific ”portfolio” risk analysis as it relates to the dozens or even hundreds of vendors, contractors, and consultants they work with. Ultimately, the hospital has every right to insist that their partners conduct regular, third-party security assessments as a requirement of doing business together. Covered entities and business associates need to work together to fix this problem. Last but not least, conduct regular, frequent and engaging security awareness training for all employees. This requirement has been included in every breach resolution agreement negotiated between OCR and an offending covered entity. All employees should understand not just the policies and procedures per se but also why those provisions are in place – given what’s at stake. Situational training is a must – test people in what they would do in specific situations. Implement hotlines, place posters on walls, screensaver reminders, and monthly tips. Every dollar spent on educating your employees on privacy and security awareness is an investment in your organizations future success. © Redspin, Inc. Page 15
Appendix: HIPAA Omnibus Rule Highlights: Business Associates, Civil Penalties, Breach Notification On January 17, 2013, the U.S Department of Health and Human Services (HHS) released its final Omnibus Rule which implemented the increased HIPAA privacy and security provisions of the HITECH Act (2009) and the Genetic Information Nondiscrimination Act of 2008 (GINA). The rule was published in the Federal Register on January 25, 2013 with an effective date of March 26, 2013. Compliance for both Covered Entities and Business Associates is required by September 23, 2013 (180 days from the effective date). The three provisions of the Omnibus Rule that are most relevant to this paper are the expansions of the privacy and security rules with regard to Business Associates, the increase in penalties for non-compliance, a new standard for determining whether there has been a breach of protected health information (PHI). Expansion of Privacy and Security Rules with regard to Business Associates The Omnibus Rule extended and expanded the definition of business associates. The term business associate now applies equally to a subcontractor of a business associate, and that subcontractor must comply with parts of the regulations in their own right. In addition, the business associate definition was expanded to include health information organizations, e- prescribing gateways, and other entities that provide data transmission services that require access to PHI on a routine basis, and entities that offer a personal health record product. All business associates are now required to implement HIPAA-compliance initiatives and measures. Increase in Penalties for Non-Compliance The Omnibus Rule employs the civil monetary penalty structure in the HITECH Act, wherein higher or lower penalties are assessed based of levels of culpability. Note that these civil penalties apply to covered entities and now to business associates equally (as per above). The penalties are structured into the following tiers: - If the covered entity or business associate did not know and could not have known about the violation, the penalty is between $100 - $50,000 per incident - If the covered entity or business associate acted with “reasonable cause” (the CE or BA knew or would have known through reasonable due diligence that an act or omission would violate the rules, but did not act with “willful neglect,”) the penalty is $1,000 - $50,000 per incident - If the CE or BA acted with willful neglect but instituted successful corrective measures within 30 days, the penalty is $10,000 - $50,000 per incident - If the CE or BA acted with willful neglect and did not institute successful corrective measures within 30 days, then the penalty is $50,000 per incident - All levels include an aggregate annual cap of $1.5 million for violations of identical provisions © Redspin, Inc. Page 16
New Standard for Determining Whether a PHI Breach Requires Notification Previously, the determination of whether a PHI breach would require notification was based on the so-called “harm standard,” – an assessment of the risk that said breach would cause financial, reputational, or other harm to an individual. The Omnibus Rule does away with the harm standard and instead states that a breach be presumed to require notification unless it can be determined through risk assessment that there is a low probability that PHI has been compromised by the unauthorized use or disclosure. HHS comments that it expects the risk assessments to be thorough, conducted in good faith, documented, and that its conclusions should be reasonable. The exact language is contained in paragraph (2) of 45 C.F.R. § 164.402 Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors: i. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; ii. The unauthorized person who used the protected health information or to whom the disclosure was made; iii. Whether the protected health information was actually acquired or viewed; and iv. The extent to which the risk to the protected health information has been mitigated. . © Redspin, Inc. Page 17

Recommandé

HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
Redspin, Inc.
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin, Inc.
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
Redspin, Inc.
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOT
Compliancy Group
 
HIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsHIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future Expectations
PYA, P.C.
 
2013-09-13-DATTO_What_Should_MSPs_Know_About_Compliance_v3h
2013-09-13-DATTO_What_Should_MSPs_Know_About_Compliance_v3h2013-09-13-DATTO_What_Should_MSPs_Know_About_Compliance_v3h
2013-09-13-DATTO_What_Should_MSPs_Know_About_Compliance_v3h
Raj Goel
 
MBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance Whitepaper
MBMeHealthCareSolutions
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate Risk
Redspin, Inc.
 

Recommandé

HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
Redspin, Inc.
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin, Inc.
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
Redspin, Inc.
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOT
Compliancy Group
 
HIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsHIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future Expectations
PYA, P.C.
 
2013-09-13-DATTO_What_Should_MSPs_Know_About_Compliance_v3h
2013-09-13-DATTO_What_Should_MSPs_Know_About_Compliance_v3h2013-09-13-DATTO_What_Should_MSPs_Know_About_Compliance_v3h
2013-09-13-DATTO_What_Should_MSPs_Know_About_Compliance_v3h
Raj Goel
 
MBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance WhitepaperMBM Achieving HIPAA Compliance Whitepaper
MBM Achieving HIPAA Compliance Whitepaper
MBMeHealthCareSolutions
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate Risk
Redspin, Inc.
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 
HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016
Compliancy Group
 
How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud
Compliancy Group
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...
Compliancy Group
 
Red7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data ProtectionRed7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data Protection
Robert Grupe, CSSLP CISSP PE PMP
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare Industry
EMC
 
Iadmdhipmkt1.0
Iadmdhipmkt1.0Iadmdhipmkt1.0
Iadmdhipmkt1.0
profit10
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health information
Redspin, Inc.
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast
- Mark - Fullbright
 
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Brian Dickerson
 
Hipaa and him security brunelle
Hipaa and him security brunelleHipaa and him security brunelle
Hipaa and him security brunelle
sjbusnpa
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
MedSafe
 
Information+security rutgers(final)
Information+security rutgers(final)Information+security rutgers(final)
Information+security rutgers(final)
Amy Stowers
 
Israel Privacy Protection Regulations - Duty To Report A Severe Security Event
Israel Privacy Protection Regulations - Duty To Report A Severe Security EventIsrael Privacy Protection Regulations - Duty To Report A Severe Security Event
Israel Privacy Protection Regulations - Duty To Report A Severe Security Event
Barry Schuman
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
EMC
 
Primer on cybersecurity for boards of directors
Primer on cybersecurity for boards of directorsPrimer on cybersecurity for boards of directors
Primer on cybersecurity for boards of directors
David X Martin
 
The Sick State of Healthcare Data Breaches
The Sick State of Healthcare Data BreachesThe Sick State of Healthcare Data Breaches
The Sick State of Healthcare Data Breaches
LightCyber-Inc
 
Where in the world is your PII and other sensitive data? by @druva inc
Where in the world is your PII and other sensitive data? by @druva incWhere in the world is your PII and other sensitive data? by @druva inc
Where in the world is your PII and other sensitive data? by @druva inc
Druva
 
Reasons for the Popularity of Medical Record Theft
Reasons for the Popularity of Medical Record TheftReasons for the Popularity of Medical Record Theft
Reasons for the Popularity of Medical Record Theft
OPSWAT
 
BREACH REPORT 2013: Protected Health Information (PHI)
BREACH REPORT 2013: Protected Health Information (PHI)BREACH REPORT 2013: Protected Health Information (PHI)
BREACH REPORT 2013: Protected Health Information (PHI)
- Mark - Fullbright
 
GIST 698 Research Paper
GIST 698 Research PaperGIST 698 Research Paper
GIST 698 Research Paper
Ryan Flanagan
 
Digital Health Data
Digital Health DataDigital Health Data
Digital Health Data
Shahidul Islam Khan Nayeem
 

Contenu connexe

Tendances

Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 
HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016
Compliancy Group
 
Iadmdhipmkt1.0
Iadmdhipmkt1.0Iadmdhipmkt1.0
Iadmdhipmkt1.0
profit10
 
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Brian Dickerson
 
Hipaa and him security brunelle
Hipaa and him security brunelleHipaa and him security brunelle
Hipaa and him security brunelle
sjbusnpa
 
Information+security rutgers(final)
Information+security rutgers(final)Information+security rutgers(final)
Information+security rutgers(final)
Amy Stowers
 
Israel Privacy Protection Regulations - Duty To Report A Severe Security Event
Israel Privacy Protection Regulations - Duty To Report A Severe Security EventIsrael Privacy Protection Regulations - Duty To Report A Severe Security Event
Israel Privacy Protection Regulations - Duty To Report A Severe Security Event
Barry Schuman
 

Tendances (18)

Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016
 
How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...
 
Red7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data ProtectionRed7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data Protection
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare Industry
 
Iadmdhipmkt1.0
Iadmdhipmkt1.0Iadmdhipmkt1.0
Iadmdhipmkt1.0
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health information
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast
 
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
 
Hipaa and him security brunelle
Hipaa and him security brunelleHipaa and him security brunelle
Hipaa and him security brunelle
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
 
Information+security rutgers(final)
Information+security rutgers(final)Information+security rutgers(final)
Information+security rutgers(final)
 
Israel Privacy Protection Regulations - Duty To Report A Severe Security Event
Israel Privacy Protection Regulations - Duty To Report A Severe Security EventIsrael Privacy Protection Regulations - Duty To Report A Severe Security Event
Israel Privacy Protection Regulations - Duty To Report A Severe Security Event
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
 
Primer on cybersecurity for boards of directors
Primer on cybersecurity for boards of directorsPrimer on cybersecurity for boards of directors
Primer on cybersecurity for boards of directors
 
The Sick State of Healthcare Data Breaches
The Sick State of Healthcare Data BreachesThe Sick State of Healthcare Data Breaches
The Sick State of Healthcare Data Breaches
 
Where in the world is your PII and other sensitive data? by @druva inc
Where in the world is your PII and other sensitive data? by @druva incWhere in the world is your PII and other sensitive data? by @druva inc
Where in the world is your PII and other sensitive data? by @druva inc
 

Similaire à Redspin PHI Breach Report 2012

Reasons for the Popularity of Medical Record Theft
Reasons for the Popularity of Medical Record TheftReasons for the Popularity of Medical Record Theft
Reasons for the Popularity of Medical Record Theft
OPSWAT
 
BREACH REPORT 2013: Protected Health Information (PHI)
BREACH REPORT 2013: Protected Health Information (PHI)BREACH REPORT 2013: Protected Health Information (PHI)
BREACH REPORT 2013: Protected Health Information (PHI)
- Mark - Fullbright
 
GIST 698 Research Paper
GIST 698 Research PaperGIST 698 Research Paper
GIST 698 Research Paper
Ryan Flanagan
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-data
Numaan Huq
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
Numaan Huq
 
AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...
AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...
AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...
ijsptm
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small Providers
Sarah Kim
 
HC-CA Infographic REV_05
HC-CA Infographic REV_05HC-CA Infographic REV_05
HC-CA Infographic REV_05
Randy Richey
 
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxPage 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
karlhennesey
 
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxPage 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
honey690131
 
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDSMANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
ijsptm
 
Data Breach: It Can Happen To You
Data Breach: It Can Happen To YouData Breach: It Can Happen To You
Data Breach: It Can Happen To You
Cooperative of American Physicians, Inc.
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
wlynn1
 
D2015 Protected-Health-Information-Data-Breach-Report
D2015 Protected-Health-Information-Data-Breach-ReportD2015 Protected-Health-Information-Data-Breach-Report
D2015 Protected-Health-Information-Data-Breach-Report
The Internet of Things
 

Similaire à Redspin PHI Breach Report 2012 (20)

Reasons for the Popularity of Medical Record Theft
Reasons for the Popularity of Medical Record TheftReasons for the Popularity of Medical Record Theft
Reasons for the Popularity of Medical Record Theft
 
BREACH REPORT 2013: Protected Health Information (PHI)
BREACH REPORT 2013: Protected Health Information (PHI)BREACH REPORT 2013: Protected Health Information (PHI)
BREACH REPORT 2013: Protected Health Information (PHI)
 
GIST 698 Research Paper
GIST 698 Research PaperGIST 698 Research Paper
GIST 698 Research Paper
 
Digital Health Data
Digital Health DataDigital Health Data
Digital Health Data
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-data
 
Protected Harbor Data Breach Trend Report
Protected Harbor Data Breach Trend ReportProtected Harbor Data Breach Trend Report
Protected Harbor Data Breach Trend Report
 
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
 
Big data and cyber security legal risks and challenges
Big data and cyber security legal risks and challengesBig data and cyber security legal risks and challenges
Big data and cyber security legal risks and challenges
 
AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...
AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...
AVAILABILITY, ACCESSIBILITY, PRIVACY AND SAFETY ISSUES FACING ELECTRONIC MEDI...
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small Providers
 
HC-CA Infographic REV_05
HC-CA Infographic REV_05HC-CA Infographic REV_05
HC-CA Infographic REV_05
 
Addressing Data Security Issues in Healthcare
Addressing Data Security Issues in Healthcare Addressing Data Security Issues in Healthcare
Addressing Data Security Issues in Healthcare
 
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxPage 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
 
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxPage 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
 
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDSMANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
 
Data Breach: It Can Happen To You
Data Breach: It Can Happen To YouData Breach: It Can Happen To You
Data Breach: It Can Happen To You
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
 
Data Breach Insurance - Optometric Protector Plan
Data Breach Insurance - Optometric Protector PlanData Breach Insurance - Optometric Protector Plan
Data Breach Insurance - Optometric Protector Plan
 
D2015 Protected-Health-Information-Data-Breach-Report
D2015 Protected-Health-Information-Data-Breach-ReportD2015 Protected-Health-Information-Data-Breach-Report
D2015 Protected-Health-Information-Data-Breach-Report
 

Plus de Redspin, Inc.

Plus de Redspin, Inc. (20)

HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest State
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol Published
 
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security Policy
 
Financial institution security top it security risk
Financial institution security top it security riskFinancial institution security top it security risk
Financial institution security top it security risk
 
Managing Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineManaging Windows User Accounts via the Commandline
Managing Windows User Accounts via the Commandline
 
Redspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful Use
 
Redspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach Report
 
Email hacking husband faces felony
Email hacking husband faces felonyEmail hacking husband faces felony
Email hacking husband faces felony
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
 
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information SecurityEnsuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information Security
 
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
 
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
Ensuring Security, Privacy, and Compliance in Healthcare IT - Redspin Informa...
 

Redspin PHI Breach Report 2012

  • 1. Breach Report 2012 Protected Health Information February 2013 © Redspin, Inc. Page 1
  • 2. Table of Contents 3……………………Executive Summary 4……………………By the Numbers 5……………………Discussion of Results 12………….……….Conclusion and Recommendations Appendix: 16………….…….….HIPAA Omnibus Rule Highlights Figures and Tables: Table 1 Top 5 PHI Breaches, 2012 p.5 Table 2 Total Large PHI Breaches, Records Impacted, 2010-2012 p.7 Table 3 Total Large PHI Breaches/Records Impacted Involving Business p.9 Associates, 2010-12 Table 4 PHI Data Breach By Source/ Device p.11 © Redspin, Inc. Page 2
  • 3. Executive Summary A total of 538 large breaches of protected health information (PHI) affecting over 21.4 million patient records1 have been reported to the Secretary of Health and Human Services (HHS) since the August 2009 interim final breach notification rule was issued as a part of the Health Information Technology for Economic and Clinical Health (HITECH) Act. To prepare for our 3rd annual Breach Report / Protected Health Information, we spent weeks reviewing the complete statistical data set of breaches reported to HHS since 2009. Based on our analysis, we’ve prepared an objective assessment of the overall effectiveness of the policies and controls that have been put in place to safeguard protected health information. By identifying significant trends and drawing attention to specific areas in need of improvement, we hope to help the healthcare industry improve its ability to protect patient information. That is our goal. To that end, we’ve included Redspin’s recommendations for preventive measures and corrective action to address the most critical weaknesses. 1 These numbers include breaches that affected >500 individuals and were reported to HHS from August 2009 to January 17, 2013. Those that impacted less than 500 are also reported to the HHS on an annual basis but the specifics are not made publicly available. © Redspin, Inc. Page 3
  • 4. By the Numbers 538 breaches of protected health information (PHI) 21,408,505 patient health records affected 21.5% increase in # of large breaches in 2012 over 2011 but… a 77% decrease in # of patient records impacted 67% of all breaches have been the result of theft or loss 57% of all patient records breached involved a business associate 5X historically, breaches at business associates have impacted 5 times as many patient records as those at a covered entity 38% of incidents were as a result of an unencrypted laptop or other portable electronic device 63.9% percent of total records breached in 2012 resulted from the 5 largest incidents 780,000 number of records breached in the single largest incident of 2012 © Redspin, Inc. Page 4
  • 5. Discussion of Results In recent years, IT security has risen to the level of enterprise risk in many industries. Data breaches can cause significant financial harm, reputational damage, and loss of consumer confidence. In healthcare, that risk is not limited to an individual hospital or business associate. It is an industry-wide threat to the continued adoption of electronic health records – the foundation for improving cost efficiency, care delivery, and patient outcomes within the U.S. healthcare industry. Quite a Handful. 146 breaches of protected health information affecting 2,413,397 individuals were reported to HHS in 2012. The top 5 incidents were particularly egregious, contributing nearly two-thirds of the total number of patient records exposed during the entire year. In striking contrast from previous years, there was little similarity in the root causes among this year’s “top 5” breaches. From a malicious hack, to lost back-up disks, to an email containing hundreds of thousands of patient records, these incidents highlight the breadth and complexity of the IT security challenge facing healthcare providers today. Table 1: Top 5 PHI Breaches, 2012 INDIVIDUALS TYPE OF BREACH LOCATION OF BREACHED COVERED ENTITY AFFECTED INFORMATION Hacking/IT Utah Department of Health 780,000 Incident Network Server Emory Healthcare 315,000 Unknown Backup Disks South Carolina Department of Unauthorized Health and Human Services 228,435 Access/Disclosure Email Alere Home Monitoring, Inc. 116,506 Theft Laptop Electronic Medical Memorial Healthcare System 102,153 Theft Record © Redspin, Inc. Page 5
  • 6. The hacking incident at the Utah Department of Health is of particular concern. Given the richness of the personal data that PHI contains, hackers are often mentioned as a potential threat to PHI. Yet, from 2009 to date, hacking has contributed to roughly 6% of data breaches, both in number of incidents and number of individuals affected. Many people have been surprised at this low incident rate, perhaps to the point of complacency. Others speculate that a significant number of smaller “hacks” have gone undetected. But the magnitude of the Eastern European-based attack on the State of Utah should end any complacency. The hackers exposed claims data for 780,000 Medicaid and Children’s’ Health Plan recipients. As a result, the State IT Director was fired. Recently, a new Utah Senate bill was put forth requiring that its Department of IT Services assemble a team of experts to ensure that security “best practices” are followed. The proposed law also includes a requirement for an audit of the department every two years. In Redspin’s opinion, hacker attacks are likely to increase in frequency over the next few years. Personal health records are high value targets for cybercriminals as they can be exploited for identify theft, insurance fraud, stolen prescriptions, and dangerous hoaxes. We expect that the low incidence rate of hacking during the past few years was the calm before the storm. It is crucial for healthcare providers to “up their game” when it comes to security defenses. The proposed Utah state law cites best practices but is short on specifics. We’d recommend every health provider conduct an annual IT security risk analysis and implement even more frequent penetration testing and vulnerability assessments. Some Signs of Improvement. In 2012, the incidents of large PHI breaches increased by nearly 21%. However, it’s not all bad news. The corresponding total number of patient records impacted dropped dramatically – a whopping 77% decrease year over year. While 146 breaches affecting over 2.4 million people might not sound like success, it is a significant improvement. © Redspin, Inc. Page 6
  • 7. Table 2: Total Large PHI Breaches and Records Impacted, 2010-2012 PHI Breaches Affecting > 500 Individuals 2010 2011 2012 Total # of Incidents Reported 258 121 146 Total # of Patient Records Impacted 8,313,517 10,684,591 2,413,397 We believe the privacy and security safeguards envisioned in the HITECH Act, implemented and enforced by HHS, CMS and OCR, and recently codified in the HIPAA Omnibus Rule are having a positive impact. Consider the number of covered entities that conducted a HIPAA Security Risk Analysis in the latter half of 2011 and throughout 2012. Redspin alone helped nearly 100 hospitals meet the security risk analysis requirement of Meaningful Use Core Measure14. During the same time period, OCR began to wield its enforcement authority, publicly announcing several high profile investigations that resulted in breach resolution agreements. Financial penalties have been assessed per the increased levels under the interim Breach Rule. OCR also launched its HIPAA Audit Program and, although they audited only about 100 covered entities, the possibility that any covered entity could be on their future audit list, brought the program home to all. As one hospital CIO said to us: “We’d rather have OCR come in and do their audit after Redspin has helped us conduct a security risk analysis, so they can see we haven’t been standing still.” Indeed, the requirement to conduct periodic security risk analysis has been a Federal regulation since the effective date of the HIPAA Security Rule in 2005. Standing still is no longer an option. The HITECH Act, Meaningful Use, and now the HIPAA Omnibus Rule, have all brought the issue of IT security into sharper focus. As we move toward realizing the full promise of electronic health record (EHR) technology, the need for IT security in healthcare has never been so great. When the authors of the HIPAA security rule recommended periodic security risk analysis, the pace of change in healthcare network infrastructure, applications, devices and workflow might have only warranted periodic check-ups. In addition, the threat landscape was © Redspin, Inc. Page 7
  • 8. much different then. The highest risk to healthcare records was loss from fire or water damage. Even the highest concentrations of paper files stored in archived facilities did not approximate the amount of PHI that could today reside on a single thumb drive. Today’s challenges call for a new ways of thinking about traditional HIPAA risk assessments. IT security is a process not a project. A successful security program is a repetitive cycle of thorough testing, reports of findings, remediation, and retesting. For some aspects of an IT security program, such as policies and procedures, an annual review will be sufficient. But to protect against new or arising threats, monthly or quarterly vulnerability scanning, threat management, and remediation will be needed. A successful security program must also involve employees and business partners. All employees need to be engaged in building a culture of security – a process of internal training, daily reminders, and visual workplace cues. Lastly, the responsibility of PHI security now extends outside the organization. While the Omnibus rule extends compliance with HIPAA security provisions and direct civil liability for breach to business associates and their vendors, covered entities still retain their obligation to ensure that its business associates are safeguarding PHI effectively. Omnibus Arrives – Just in Time? As mentioned above, both covered entities and business associates (BAs) now stand more or less on equal footing (at least from the regulatory standpoint) regarding their responsibility to safeguard PHI from breach. Over the past few years (or perhaps even from the beginning of time), this is an area that has suffered from “woeful neglect,” so to speak. As we have said publicly, "Hospitals clearly need greater visibility and control over how their business partners protect the privacy and security of confidential patient data.” The statistics do indeed bear this out. Since late 2009, 57% of all patient records involved in large-scale PHI breaches have involved a business associate. In raw numbers, that’s 12,110,729 individuals! © Redspin, Inc. Page 8
  • 9. Table 3: Total Large PHI Breaches/Records Impacted Involving Business Associates, 2010-12 Incidents Total % Records All Records % Involving Breach Involving Impacted by Impacted by Involving BA Incidents BA BA Incident Breaches BA 2010 51 258 19.8% 4,136,397 8,313,517 49.8% 2011 31 121 25.6% 7,078,890 10,684,591 66.2% 2012 22 146 15,1% 895,442 2,413,397 37.0% 104 525 19.8% 12,110,729 21,411,505 56.6% It was against this backdrop that the long-awaited HIPAA Omnibus Rule was publicly announced and published in the Federal Register on January 25, 2013 with an effective date of March 26, 2013 and a compliance date of September 23, 2013. Although promoted as “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” much of the Omnibus Rule is similar to interim regulations published in 2010-2011 as authorized under the 2009 HITECH Act. However, the extension of the responsibility for safeguarding PHI to business associates and their subcontractors is indeed a sea change. Not only must BAs now comply with the HIPAA Security Rules just like their covered entity partners but they can also be held directly and civilly liable for PHI breach. This is a good (albeit late) start but the next steps are even more vitally important. Compliance regulations lose steam over time unless they are aggressively enforced. OCR, though well-intentioned, has a long way to go before they can be in a position to audit any business associates. At best, we’ll continue to see some high profile business associate breach penalties announced in the press. Such negative PR is attention- grabbing but fleeting – it too wanes over time unless there is a consistent driver for maintaining compliance and improving security. © Redspin, Inc. Page 9
  • 10. So where will improvements in this critical area come from, if at all? Redspin believes that true collaboration between covered entities, business associates, vendors, law firms, and expert security firms will be essential to building a truly secure “chain of PHI custody” with consistent safeguards at every point. Like most challenges to improve the common good, covered entities and BAs should accept joint responsibility and accountability as they are both vested in the same positive outcome. Easy for us to say! But we are not just talk. Redspin has put together a Business Associate Risk Assessment service, including a methodology that helps hospitals evaluate the internal controls of their business associates while building a risk model to determine overall exposure. It serves to initiate a mutually-beneficial exercise as hospitals and BAs can then openly discuss process improvements using a common framework and with the shared goal of protecting PHI. Going Mobile In last year’s report, we noted that 39% of all PHI breaches had occurred on a laptop or other portable device, the easiest type of device for thieves to steal or employees to lose. That trend continued in 2012 (37.7% of total) and we continue to fear the situation is going to get worse before it gets better. What was unusual just 18 months ago in healthcare organizations is now routine. Smartphones, iPads, and other BYOD computing devices now enter the healthcare workplace daily – and go home at night. Forrester Research reports that 37% of information workers are using BYOD at work before policies are even in place. CMS has included a specific call-to-action in Stage 2 meaningful use that reemphasizes the “addressable” requirement in the HIPAA Security Rule governing the encryption of data-at-rest. Why not make this mandatory – at least on portable devices? Stricter policies and more encryption are clearly called for. We suspect the “wiggle room” in the HIPAA Security Rule was kept it tact by CMS, rather than risk that a stricter encryption requirement would delay the pace of Stage 2 attestation. © Redspin, Inc. Page 10
  • 11. BYOD just makes it worse. With BYOD, the users need to have more say in the matter. Owning the devices creates both a legal and psychological differences regarding usage. Employers and employees must work towards truly mutually acceptable policies or there is a risk, employees will just do what they want. No one has found the ideal solution yet. With Redspin’s mobile device security assessments, we offer a methodology that enables IT management to have increased engagement with their healthcare workers and get their buy-in, while deploying simpler encryption methods and offering more security awareness training. We think this approach has the best chance of success but ultimately, it will be the future breach statistics that tell the tale. Table 4: PHI Data Breach by Source / Device Pre-2012 2012 Laptop and other portable device 151 39.2% 55 37.7% Paper 92 23.9% 31 21.2% Computer 56 14.5% 20 13.7% Server 38 9.9% 15 10.3% Other 18 4.7% 18 12.3% Email 7 2% 4 2.7% Electronic Health Record 6 1.6% 2 1.4% X-Ray 5 1.3% 0 0 Back-up Tapes 4 1% 1 0.6% Hard Drives 3 0.8% 0 0 Mail, Postcards 3 0.8% 0 0 CD 2 0.5% 0 0 Total 385 100% 146 100% Another area to keep a close watch on is unauthorized access. The 3rd largest breach in 2012 occurred at the South Carolina Department of Health and Human Services when an employee (now ex-employee) emailed himself 228,000 patient records. Malicious hackers are not the only group to realize the value of a stolen health record © Redspin, Inc. Page 11
  • 12. when used for illegal purpose – it may be your own employees. Incidents of insider threat are on the rise and can only be prevented by a comprehensive security program – not a once a year risk assessment but an integrated program of policies, controls, technical safeguards, organizational accountability, enforcement, training, and leadership. Conclusions and Recommendations Four years ago, the Health Information Technology Economic and Clinical Health (HITECH) Act was signed into law to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addressed the privacy and security concerns associated with the electronic transmission of health information through several provisions that strengthened the civil and criminal enforcement of the HIPAA rules. Those provisions have been put into effect through a series of interim rules and enforcement actions, ultimately culminating with the recent publication in the Federal Register of the HIPAA Omnibus Rule. While reserving comment on the piecemeal implementation of privacy and security rules, the 4 year anniversary of HITECH seems a good time to assess how well those provisions have been working. Most importantly, with the Omnibus Rule now in place, let’s look at the most significant security challenges that lay ahead. While the authors of the HITECH Act foresaw the need to strengthen HIPAA privacy and security as an essential and concomitant element of achieving meaningful use of health information technology, they clearly underestimated the complexity of the task. The breach tally speaks for itself – 538 large-scale PHI breaches impacting over 21 million patients, and an additional estimated 60,000 smaller breaches affecting millions more, reported to HHS since the Fall of 2009. So what went wrong? First, IT security is complicated because today’s technology world is incredibly dynamic, the number of endpoints too great. Such hyper-connectedness can lead to a single change creating a multiplicity of new vulnerabilities, oversights, or mistakes. IT security can’t simply be legislated or completely enforced. Policies and © Redspin, Inc. Page 12
  • 13. enforcement play an important role, but like good parenting, they don’t guarantee results. In HITECH, the Interim Breach Rule, and the Omnibus Rule, much of the focus was put on breach reporting, and indeed, that reporting is an essential part of patient/consumer protection. Patients have a right to know if their confidential health information has been inappropriately disclosed or exposed. But such notifications are, after all, after the fact Patients also have the a priori right to trust that their health information is being appropriately safeguarded. This is why Redspin tells our clients: “Sure we’ll help you meet or maintain HIPAA compliance or attest to Meaningful Use but our real goal is to help you safeguard PHI from data breach.” Since the accelerated deployment of IT in healthcare began, we’ve stressed that security is a foundational element for its successful implementation and adoption. Legislation, programs, policies, or controls that are intended to drive improvements in security must first recognize that effective security is about lowering risk. The aim is not to find and fix all vulnerabilities or eradicate every threat. The goal is to reduce the likelihood of occurrence and limit the potential damages of breach. Looking backward is only useful to the extent it can help better inform our future direction. Starting back in 2009-2010, the healthcare industry was asked to change. Hospitals and other eligible providers were offered huge financial incentives to do so. EHR systems were deployed; providers were encouraged to show “meaningful use” of those systems quickly. Conducting a HIPAA security risk analysis was required under the EHR incentive program – and many interpreted this requirement as pertaining just to the EHR and systems directly connected to the EHR. The problem is that once electronic health records were born, they were bound to find their way onto other devices, into other applications, and even transmitted to other places. The proliferation of portable devices and media within all IT environments that store PHI increase the likelihood of breach exponentially. How many providers included their internal applications in their last HIPAA Security Risk Analysis? How many security assessments of business associates were included in the covered entity’s HIPAA Risk © Redspin, Inc. Page 13
  • 14. Analysis? Most BAs were not prepared for the responsibility they assume simply by being in possession of PHI – and still aren’t. And what about healthcare workers? Few healthcare employees outside of IT could tell you what their corporate IT security policies are, much less how those actually pertain to their email, laptop, or personal iPhone. Would the average healthcare employee know how to encrypt “data-at-rest.” Was the level of IT security awareness of employees who had access to PHI considered in a HIPAA Security Risk Analysis? These are tall tasks, underestimated four years ago and urgently needed now. We want to help drive the changes necessary in healthcare IT security so that PHI breaches are a rare exception, rather than a once a week news story. In the beginning of this report, we promised recommendations and here they are. Remember we advocate that your mindset be about lowering risk. Focus on reducing the likelihood of PHI breach occurrence and limit the potential damages of those breaches. First, conduct a HIPAA Security Risk Analysis. It is just the starting point… but get started! Redspin preaches that security assessments are not projects but rather part of a continuous process of durable improvements. As such, we believe HSRAs should be conducted on annual or at least bi-annual basis. While a comprehensive security assessment has a shelf life, you’ll be far more secure if you also assume there is an expiration date. Second, implement a regular process for an ongoing vulnerability scanning and remediation, and integrate those reports into your IT security risk assessments. Don’t wait for the HSRA cycle to come around again before doing the vulnerability scanning – use a monthly or quarterly schedule so that you can compare results and see what you’ve fixed, what you haven’t, and what new vulnerabilities may have arisen. If you don’t have the resources to do this yourself, Redspin has an automated service that can do it for you. © Redspin, Inc. Page 14
  • 15. Third, insist on encryption of data on all portable devices. Just do it! Lost or theft of unencrypted portable devices has made up over a third of all large breaches to date. We recognize that there are still significant hurdles – clumsy technology, budgetary constraints, and user-training needs. As painful as they may be, they don’t compare with the pain of a major breach incident due to a lost device chock full of PHI. The costs of forensics, reparations, attorney’s fees, an OCR investigation/civil penalty, potential class action lawsuits, and negative publicity can easily run into millions and millions of dollars. Fourth, business associates have accounted for 57% of all patient records breached since we started the tally.. We recommend hospitals conduct a specific ”portfolio” risk analysis as it relates to the dozens or even hundreds of vendors, contractors, and consultants they work with. Ultimately, the hospital has every right to insist that their partners conduct regular, third-party security assessments as a requirement of doing business together. Covered entities and business associates need to work together to fix this problem. Last but not least, conduct regular, frequent and engaging security awareness training for all employees. This requirement has been included in every breach resolution agreement negotiated between OCR and an offending covered entity. All employees should understand not just the policies and procedures per se but also why those provisions are in place – given what’s at stake. Situational training is a must – test people in what they would do in specific situations. Implement hotlines, place posters on walls, screensaver reminders, and monthly tips. Every dollar spent on educating your employees on privacy and security awareness is an investment in your organizations future success. © Redspin, Inc. Page 15
  • 16. Appendix: HIPAA Omnibus Rule Highlights: Business Associates, Civil Penalties, Breach Notification On January 17, 2013, the U.S Department of Health and Human Services (HHS) released its final Omnibus Rule which implemented the increased HIPAA privacy and security provisions of the HITECH Act (2009) and the Genetic Information Nondiscrimination Act of 2008 (GINA). The rule was published in the Federal Register on January 25, 2013 with an effective date of March 26, 2013. Compliance for both Covered Entities and Business Associates is required by September 23, 2013 (180 days from the effective date). The three provisions of the Omnibus Rule that are most relevant to this paper are the expansions of the privacy and security rules with regard to Business Associates, the increase in penalties for non-compliance, a new standard for determining whether there has been a breach of protected health information (PHI). Expansion of Privacy and Security Rules with regard to Business Associates The Omnibus Rule extended and expanded the definition of business associates. The term business associate now applies equally to a subcontractor of a business associate, and that subcontractor must comply with parts of the regulations in their own right. In addition, the business associate definition was expanded to include health information organizations, e- prescribing gateways, and other entities that provide data transmission services that require access to PHI on a routine basis, and entities that offer a personal health record product. All business associates are now required to implement HIPAA-compliance initiatives and measures. Increase in Penalties for Non-Compliance The Omnibus Rule employs the civil monetary penalty structure in the HITECH Act, wherein higher or lower penalties are assessed based of levels of culpability. Note that these civil penalties apply to covered entities and now to business associates equally (as per above). The penalties are structured into the following tiers: - If the covered entity or business associate did not know and could not have known about the violation, the penalty is between $100 - $50,000 per incident - If the covered entity or business associate acted with “reasonable cause” (the CE or BA knew or would have known through reasonable due diligence that an act or omission would violate the rules, but did not act with “willful neglect,”) the penalty is $1,000 - $50,000 per incident - If the CE or BA acted with willful neglect but instituted successful corrective measures within 30 days, the penalty is $10,000 - $50,000 per incident - If the CE or BA acted with willful neglect and did not institute successful corrective measures within 30 days, then the penalty is $50,000 per incident - All levels include an aggregate annual cap of $1.5 million for violations of identical provisions © Redspin, Inc. Page 16
  • 17. New Standard for Determining Whether a PHI Breach Requires Notification Previously, the determination of whether a PHI breach would require notification was based on the so-called “harm standard,” – an assessment of the risk that said breach would cause financial, reputational, or other harm to an individual. The Omnibus Rule does away with the harm standard and instead states that a breach be presumed to require notification unless it can be determined through risk assessment that there is a low probability that PHI has been compromised by the unauthorized use or disclosure. HHS comments that it expects the risk assessments to be thorough, conducted in good faith, documented, and that its conclusions should be reasonable. The exact language is contained in paragraph (2) of 45 C.F.R. § 164.402 Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors: i. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; ii. The unauthorized person who used the protected health information or to whom the disclosure was made; iii. Whether the protected health information was actually acquired or viewed; and iv. The extent to which the risk to the protected health information has been mitigated. . © Redspin, Inc. Page 17