"What I'm seeing is that organizations are not taking any chances," Hourihan says. "If a breach has the slightest chance of harm, they're going to do the notification."
Based on his research, Hourihan offers these tips:
- Encrypt portable devices. With the theft of laptops being the No. 1 cause for the type and location of breaches, Hourihan says organizations should "at the very least" make sure any portable devices are encrypted. And, if you can help it, remove any sensitive information.
- Don't store information locally. A better option here is to get your information on network drives, providing users with an easy-to-use centrally managed and protected option. "Make sure nothing gets stored locally," Hourihan says.
- Ensure BA compliance. BAs composed only 1/5 of the breaches on the OCR website, but Hourihan sees that climbing. "Across all segments of the industry, our data shows that third party security management is the least mature in control," says Hourihan, "and the BAs aren't the ones being called out when there's a breach."
Other notable numbers from the HITRUST report include:
- 4,089,670 individuals affected
- 38% of breaches include hospital/provider networks (No. 1)
- 79% of individuals affected involve insurance plans (No. 1)
- 31% of breaches involve laptops (No. 1)
- 70% of records involve a theft (No. 1).
- 18.5% percent of breaches implicate a BA
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.