Roughly 57 percent of the more than 21 million patient records involved in large-scale healthcare data breaches between 2010 and 2012 were linked to business associates, according to a new analysis by Carpinteria, Calif.-based IT security audit firm Redspin.
In 2012 alone, 146 total breaches impacting 500 or more individuals were reported, up from 121 in 2011. However, the number of patient records impacted by those 146 breaches was roughly 2.4 million, down drastically from 10.6 million patient records impacted a year earlier.
"We believe the privacy and security safeguards envisioned in the HITECH Act implemented and enforced by [the U.S. Department of Health & Human Services Office for Civil Rights], and recently codified in the HIPAA Omnibus Rule, are having a positive impact," the report's authors said. "Standing still is no longer an option."
The report's authors said that while business associate liability under HIPAA previously was an area that suffered from "woeful neglect," the new rule that holds BAs accountable is a "good [albeit late] start." However, they added, aggressive enforcement of the law, however, will be key to ensuring that even more progress is made.
With regard to breaches on laptops or other devices, the authors said they think the trend will likely will continue, especially considering the trend remained flat from the previous year--in 2011, 39 percent of all protected health information breaches occurred on a laptop or other portable device; last year, that figure dipped only slightly, to 38 percent.
"What was unusual just 18 months ago in healthcare organizations is now routine," the report's authors said. "Smartphones, iPads, and other BYOD computing devices now enter the healthcare workplace daily--and go home at night."
Network security is a top priority for healthcare CIOs this year, according to a recently released study by Broomfield, Colo.-based Level 3 Communications. That's not surprising, considering that, according to a report released in December by the Traverse City, Mich.-based Ponemon Institute, data breaches cost healthcare organizations nearly $7 billion annually.