From The Sip Trunking Experts

TMCNet:  HITRUST's Analysis of U.S. Breach Data Finds Little Progress and Concern for Un-reported Breaches

[December 05, 2012]

HITRUST's Analysis of U.S. Breach Data Finds Little Progress and Concern for Un-reported Breaches

FRISCO, Texas --(Business Wire)--

According to the Health Information Trust Alliance's (HITRUST) analysis of U.S. healthcare data breaches from 2009 to the present, the healthcare industry has made little progress in reducing the number of breaches with troubling statistics seen from the same types of organizations, breaches and locations. The retrospective analysis of breaches affecting 500 or more individuals indicates a slight decline in the total number of breaches during the past three years, but overall the industry's susceptibility to certain types of breaches has been largely unchanged since breach data became available from the U.S. Department of Health and Human Services (HHS) and the new HIPAA and HITECH Act regulations went into effect.

HITRUST periodically analyzes the breach data from HHS and other sources and makes it freely available to the industry to inform organizations of trends and continuing security and privacy risks, and to direct modifications to HITRUST programs and requirements.

"By conducting and publicizing this analysis, we believe that over time we can facilitate a fundamental shift in the healthcare industry toward achieving a state of security and privacy that is on par with other leading industries," said Daniel Nutkis, chief executive officer, HITRUST. "While the data itself is not terribly surprising, it does serve as a critical reminder of the education and improvement that still needs to occur across the industry, regardless of organization type and size. I believe this is why HITRUST continues to see increasing adoption numbers for the HITRUST Common Security Framework (CSF) and participation in the CSF Assurance Program, especially from organizations that have made the commitment to train their security and privacy professionals so that they have the necessary knowledge and skills."

A close look at the HHS data reveals that since 2009 the industry has experienced 495 breaches involving 21 million records at an estimated cost of $4 billion. With the annual number of total breaches remaining fairly consistent, hospitals and health systems is one of the few groups that can claim some improvements in protecting health information with the largest decline in reported breaches. This group experienced a decline of 71 percent from 2010 to 2011 in the number of breaches, and for the first two quarters of 2012 has only experienced 14 breaches (compared with a total of 48 for 2011). Health plans have also seen a steady decline in breaches since 2009 and have not had to post since the first quarter of 2012.

"We are seeing healthcare providers adopting the HITRUST CSF at a greater rate than other segments, which could be attributed to escalating pressures faced by this industry segment relating to the protection of health information," said Nutkis. "This group is also leveraging guidance from the CSF Assurance Program that focuses on the high risks for healthcare such as unencrypted devices in support of their meaningful use attestations."

In addition, HITRUST believes that Stage 1 meaningful use may have incentivized and/or raised awareness for the need for security, particularly in the most likely areas of laptops, desktops and mobile media. However, the data indicates that physician practices, which should be similarly motivated by meaningful use incentives, have continued to demonstrate a lack of progress. This is especially true of saller physician practices where those with one-to-100 employees account for over 60 percent of the breaches reported in the segment. The analysis indicates that organizations such as these likely lack the awareness and resources in order to adequately recognize the issues and take actions to preempt future breaches. As the interconnectivity of organizations increases through community health records and health information exchanges, small practices may pose a new and significant risk to larger entities that have begun to get a handle on security and privacy.

HITRUST believes that in order for there to be a significant decline in the total number of breaches, the industry must find a way to reach physician practices and provide them with simple cost-effective solutions to their biggest challenges. A step in the right direction would be to provide these smaller organizations - and the industry as a whole - with education tailored to security in healthcare in conjunction with more automated and sophisticated methods to identify and correct risks. This enables small organizations to more easily acquire the necessary skills supplemented by technology so they too can be successful. The HITRUST report provides recommendations for physician practices needing to proactively address their security initiatives.

Surprisingly, reported hacking and malware infections remain low, accounting for a total of eight percent of the breaches. "Data we receive from other sources strongly indicates that U.S. healthcare organizations of all types are experiencing data loss due to viruses, attacks by cyber criminals, password sharing by clinicians, and the prevalence of vulnerabilities in electronic health record (EHR) technologies that are not communicated," said Nutkis.

HITRUST recently launched the Cyber Threat Analysis Service (CTAS) in partnership with iSIGHT Partners to identify and analyze cyber threats to the U.S. healthcare industry. The CTAS has published more than a half-dozen reports of healthcare data being exploited in underground message boards by cybercriminals from the U.S., Russia and China that cannot be linked back to the reported breaches from HHS. In addition, the service has found that malware is present on approximately 30 percent of endpoint devices in smaller healthcare organizations.

A November 2012 report from the CTAS highlights this new dynamic in the cause for breaches with the observation that a database containing personally identifiable information (PII) and protected health information (PHI) was advertised for purchase on a prominent cybercrime forum.

HITRUST's own assessment data suggests many breaches may go unreported or undiscovered. Nutkis continued, "because of the gap between the breach data and other sources, we believe the breaches being reported are not all inclusive. While we do not have a sense of the exact magnitude, given the cyber threats that healthcare and other industries face, we believe it must continue to be taken seriously."

The HITRUST analysis also identified other areas of concern for the industry:

  • Even in this electronic age, breaches of paper records remain significant among the leading segments (providers, payers, government) with errors in mailing and disposal of records playing a substantial role in some of the highest profile paper-based breaches. Since 2009, paper records comprise 24 percent of healthcare breaches, second only to laptops.
  • Business associates continue to account for a significant number of breaches (21 percent) and are implicated in a majority of the records breached to-date (58 percent). This continues to be a problem across all organization types, with physician practices struggling the most.
  • The average time to notify individuals and HHS following a breach is 68 days, with over 50 percent of organizations failing to notify within the 60 day deadline set by HITECH.

The results of HITRUST's analysis of breach data are influencing updates to the 2013 version of the HITRUST CSF - available in January 2013 - and modifications to the CSF Assurance Program. The program is being updated to align with Stage 1 and 2 meaningful use requirements, and provide adequate coverage for high risks, including endpoint security, third party assurance, and continued requirements for secure disposal. HITRUST is developing and will be releasing detailed illustrative procedures alongside the 2013 updates to provide standardized, industry-approved audit and assessment guidance to HITRUST CSF Assessors, covered entities and business associates.

The HITRUST report - "A Look Back: U.S. Healthcare Data Breach Trends" - is publically available for download at along with an infographic of the analysis. The report includes in-depth analysis of the breach data and provides recommendations for addressing issues relating to security for endpoint devices, mobile media, paper records, business associates and physician practices.


The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit

All product and company names herein may be trademarks of their respective owners.

[ Back To SIP Trunking Home's Homepage ]

Subscribe here for your FREE
SIP TRUNKING enewslettter.

Featured Partner

Featured Whitepapers

SIP Security for the Enterprise
Voice over IP (VoIP) is incorporated into a variety of computer networks, both public and private, and used for everyday transactions and communications among carriers, businesses, government agencies...

Making A Broadband Purchase Decision
Businesses today have many options for broadband connectivity. Clarifying your particular business needs prior to selecting a broadband provider will ensure an optimal match of broadband service to your requirements.

Voice-Optimized Network Delivers Premier Call Experience
Customers equate call quality with business quality. Real-time communication, interpersonal interaction, and the cordial tone of a call center representative can create a positive impression of your business that no email can match.

Featured Case Studies

Business Telecom Expenses Reduced 50%
A small to medium sized company in the midwest was interested in migrating to IP Communications, but in today's economy, they were hesitant to upgrade their communication system due to their perception that the cost would outweigh the benefits.

Multi-State Company Cuts Telecom Costs 50%
A multi-site, multi-state company with extensive monthly long distance fees and toll-free charges did not have adequate broadband for Broadvox SIP Trunking requirements, nor did they have a SIP enabled telephone system.

Discover Leisure Connects Remote Users to its IP-PBX
Discover Leisure is one of the largest resellers of caravans and motor homes in the UK. With 15 branch of?ces all over the country, the company spent a great deal of money every month just on internal phone calls.

Featured eBOOKS

Internet+: The Way Toward Global Unified Communication
Connecting the telephony of the enterprise PBX or Unified Communications (UC) system using SIP trunks instead of conventional telephone lines has been very successful in recent years.

What is SIP Trunking? Edition 2
SIP trunking is becoming more of a focus for service providers. One key issue many service providers face when deploying SIP trunks is NAT, or Network Address Translation, traversal.

What is SIP Trunking? Edition 1
A vast resource for information about all things SIP - including SIP, security, VoIP, SIP trunking and Unified Communications.

Featured Videos

Broadvox VAR Testimonial VAR 1:
Part 1 of the VAR (Value Added Reseller) Partner Program Testimonials for Broadvox...

E-SBCs AS The Demarcation Point:
Ingate's Steve Johnson talks to Erik Linask about the role session border controller plays as the demarcation point at...

Demystifying DPI
How can deep packet inspection protect your SIP traffic as well as your entire network?

Featured Resources

Partner Program Overview:
Over 4,000 VARs, Master Agents, Solution Providers, and Independent IT Professionals trust Broadvox. We offer customized services and solutions to fit seamlessly into any company's business model. And when you partner with Broadvox, every member of our team stands behind you and your customers 100%...

SIP Trunk UC Summit

What's New

Presenting the New Ingate/Intertex Website:
Internet+ is an extended Internet access allowing high quality SIP (Session Initiation Protocol) based real-time person-to-person communication, everywhere and for any application. It applies to both fixed and mobile networks ...

Featured Blogs

Featured Webinars

Secure SIP Trunking:
What You Need to Know

Successfully Deploying Enterprise SIP Trunking:
Tools and Techniques for Overcoming Common Roadblocks

Featured Podcasts

Getting the Most Out of Your SIP Trunks:
Ingate's Steve Johnson and TMC's Erik Linask discuss how best practices forgetting the most out of SIP Trunking services and common pitfalls to avoid.

Featured Datasheets

Ingate SIParator E-SBCs
Adopting SIP is a simple process with the Ingate SIParator, the secure enterprise session border controller (E-SBC). The SIParator makes secure SIP communications - including VoIP,SIP trunking and more - possible while working seamlessly with your existing network firewall.

Ingate Firewalls
Everyone is talking about enterprise usage of VoIP, instant messaging and other types of realtime communications including presence and conferencing.

SIP Trunk Solutions for Service Providers
The award-winning Ingate Firewall and Ingate SIParator deliver a high quality, reliable SIP trunk connection between the customer's IP-PBX and the service provider network, and solve interoperability issues to simplify deployments and support for remote diagnosis of reported issues.