Analysis of Causes of Patient Data Breaches

By ThinkReliability Staff

When dealing with a seemingly overwhelming problem, care should be taken to ensure that resources are used most effectively by addressing the causes that have the biggest impact on the issue.  Take the case of HIPAA breaches of medical records.  Since February of 2010, 26.8 million individuals in the United States have been impacted by a data breach.  There are multiple potential causes that could result in these data breaches. So, where should efforts be directed to be most effective?

Looking at actual events and determining the probability of different types of failure can better direct your solutions, even if your organization hasn’t personally experienced a data breach.  We do this in a proactive Cause Map, which looks at potential causes and – when data is available – determines the relative probability of each contributing cause.  Luckily for us, this analysis has already been performed for data breaches reported to the HHS since February 2010.  We will use here breach analysis and graphs created by medical software research resource Software Advice in a recent report on the subject.

The biggest cause of patient data record breaches is theft.  Theft accounts for at least 48% of breaches.  (There were also incidents described as combination, other or unknown, which may also involve theft.)   As an example, a health insurance provider lost nine server drives that included information for 1.9 million people, two years after a portable disk drive was stolen that included personal data for 1.5 million members.  (View our analysis of patient data breaches caused by theft in our previous blog.)

The next largest cause of patient data breaches is unauthorized access.  Unauthorized access is the cause of 18% of data breaches.  These types of breaches have the potential to result in employee action in addition to the other goals that are impacted.  These events may involve outside contractors, or “Business Associates” (BAs).  BAs are involved in 22% of incidents, but account for 48% of impacted individuals due to data loss.  An example of a patient data breach caused by an outside contractor is the case involving records of 20,000 patients, which were posted online by a contractor.  (View our analysis of this data breach in our previous blog.)

Loss accounts for 11% of patient data breaches.  This includes the largest patient data breach from the time period covered, when a TRICARE BA (contractor) lost backup tapes, impacting the records of nearly 5 million patients.   Improper disposal, such as when a shredding company abandoned the records of 277,000 patients in a public park, accounts for 5%.  Hacking also occurred in 6% of breaches, such as when the servers at the Utah Department of Health were broke into and records for almost 800,000 people were stolen. (Remaining events are classified as a combination of the above, other, or unknown.)

The HIPAA Omnibus Rule clarified liability for Business Associates and subcontractors, which should serve to reduce their involvement in data breaches.  But for the events that don’t involve outside parties, how can these events be reduced?

Focusing on two of the most likely causes of breach – theft and loss – encryption can reduce the risk that data can be accessed if physical devices are stolen.  Laptops account for 22% of breaches, and other portable devices account for 12%.  However, encryption won’t help with paper records, which account for 23% of data breaches.  In these cases, limit to access of records and prevention by removing records from the storage site can help, as can moving from paper records to electronic health records, which accounted for only 2% of  data breaches.  However, the storage devices used for electronic health records, including laptops, as discussed above, network servers (10%), computer (13%) are more likely to be involved. Because physical storage devices account for so many data breaches, whether or not electronic records are being used, cloud storage is worth consideration.  Although hacking is still a concern, remember that it accounts for just 6% of breaches – as opposed to theft and loss, which make up nearly 60% of breaches.

To view the proactive analysis/ Cause Map of these data breaches, please click “Download PDF” above.  Or click here to read more.

Glitches with Federal Health Care Exchange Website Cause Concern

By ThinkReliability Staff

The website to allow individuals to sign up for the federal Health Care Exchange created as part of the Affordable Care Act opened at midnight on October 1, 2013.  Delays and glitches with the site itself caused difficulties for many trying to enroll.  Three million visitors are said to have visited the site between midnight and 4 p.m. on opening day, though the numbers of how many were actually able to enroll will not be released until November.

This creates a problem not only from a customer service perspective (though that is certainly an important impact to the federal government’s goals of trying to create a consumer-friendly website), but also with regard to the mission of providing affordable healthcare to the population and the labor and time required by federal workers for its success.  Because the cost for healthcare is more for older, sicker parts of the population, more younger, healthier people will need to sign up for the exchanges to keep the insurance affordable.  Some people who go to the website are now being directed to apply by phone, or mail, but because the site incorporates automatic verification of personal information, that will need to be done manually by employees when people apply in other ways, this increases the cost of the program.

Though specific details on some of the issues facing the exchange have not yet been released, there are some known issues that have been discussed in the media.  One of these is the available capacity for the site.  The site was planned for a maximum of 50,000 simultaneous users.  During the first day of the exchange, the site saw up to five times that many simultaneous users.  The numbers are presented as being based off the 30,000-maximum simultaneous users to the Medicaid site, but how the actual number was determined is unknown.  An increased burden on the site due to the 36 states that decided not to create their own state-run exchange contributed to the high number of users.  It was thought that the promise of federal money to support the state-run exchanges would encourage more states to participate.

The requirements for the website have been described as “unprecedented” – not only was the website designed to handle a high number of simultaneous users, it also has to share information from multiple data sources, including the Internal Revenue Service, Social Security Administration, and Homeland Security to verify information and determine access to plans and tax credits.  Based on the number of glitches and delays seen in the first weeks of the exchange website, the testing of the launch appears to have been inadequate.  Factors that may have played a part are lack of funding due to lack of support for the Affordable Care Act by Congress, and a delay in creating the infrastructure of the system over a concern that the Act would be overruled by the Supreme Court or Congress.

Information technology experts say that lessons learned from other sites – such as state-run exchanges that have already been successfully operated, or even the Medicaid site – were not applied effectively to the exchange.  The organization tasked with oversight of the exchange – Centers for Medicare and Medicaid Services (CMS) – has little experience with managing a website of this magnitude.  It has also been suggested that the contractors hired to support the site may be less able to react because government contracting can be preferential towards older, more entrenched companies.

As more information is released, the analysis of an issue becomes more detailed and allows for more effective, deliberate solutions.  The information that is currently publicly available was used to create an initial, high level Outline and Cause Map.   (To view the Outline and Cause Map, please click “Download PDF” above. )

As an immediate, but temporary solution, an online waiting room was created in hopes that it would allow an increased number of users to be on the site at the same time.  Additionally, the ability to browse anonymously – without creating a profile – was incorporated, in hopes that this would decrease traffic to parts of the site that require personal information verification for those who are just looking at the site.

A team of experts has been tapped to fix the glitches with the site.  It’s not clear who will ultimately be responsible for the fixes, though many have recommended the creation of a new position to oversee the entire exchange.  If issues with the site continue to cause delays, the sign-up period may be extended as a back-up solution.  The administration will be watching the fixes to the site carefully and determining what more is needed.  However, they’ve got to hurry – the enrollment period ends December 15 for coverage by January 1, 2014.

To view the Outline and Cause Map, please click “Download PDF” above.  Or click here to read more.

United Nations Sued for Role In Haitian Cholera Epidemic

By Kim Smiley

A class action law suit has been filed against the United Nations (U.N.) on behalf of Haitian families afflicted by the cholera epidemic that has been raging since 2010.  Many believe that cholera was inadvertently brought to Haiti by U.N. peacekeeping forces.

Some of the basic facts are still debated, but one that is known is that Haiti is experiencing the worst cholera epidemic in modern history with thousands of new cases each month. Nearly 7 percent of the Haitian population has had cholera since 2010.  It’s estimated that around 8,400 people have died of cholera and more than 685,000 have been sickened by the disease.

So why is the U.N. being blamed for this epidemic? A Cause Map, or visual root cause analysis, can be used to explain what many believe occurred.  All causes that contributed to an issue are captured on the Cause Map, which illustrates the cause-and-effect relationships between them.  In this case, people became infected with cholera after drinking contaminated river water.  Many believe that the river was contaminated when sewage leaked from a U.N. camp near the river with inadequate sanitation facilities.  U.N. peacekeepers from Nepal were stationed at the camp and cholera, specifically a nearly identical strain of cholera, was present in Nepal at the time.  It’s assumed that at least one person in the camp had cholera and dangerous wastes managed to contaminate the river. The cholera epidemic seems to be a deadly case of unintended consequences that occurred when the U.N. attempted to aid Haiti following a devastating earthquake.

Once cholera got a foothold in Haiti, the epidemic exploded.  The population had little immunity to the disease because a case hadn’t been seen in Haiti in over a century prior to 2010.  Haiti lacked the sanitation and medical facilities to quickly contain a cholera epidemic.  People continued to drink water from the river because there weren’t many other options. The country had also suffered major damage from the 7.0 magnitude earthquake that hit on January 12, 2010.  Medical facilities, transport facilities, communication systems and all the things a country needs to battle an epidemic had been significantly impacted by the earthquake.  Basically, it was a perfect recipe for a disaster.   A sick U.N. soldier may have brought cholera to Haiti, but the conditions in the country amplified the situation.

The world is still struggling to understand the cholera epidemic and determine what lessons learned should be applied going forward.  Clearly there is something to learn about the need for sufficient sanitation so that illness doesn’t spread unnecessarily.  The U.N. may potentially want to screen troops more closely before stationing them on foreign soil or implement other changes to help prevent anything like this from occurring in the future.  It’s also a powerful reminder to be aware and on the lookout for unintended consequences whenever a solution is implemented.  For example, the U.N has always had legal immunity, but some believe that may change as a result of the cholera lawsuit.   It’s impossible to predict if a verdict against the U.N. would impact future U.N. aid efforts, but it’s easy to imagine that it could have damping effect on their efforts, causing a whole other wave of unintended consequences to occur.

To view a high level Cause Map of the cholera epidemic in Haiti, click on “Download PDF” above.

National Effort Improves Cardiac Arrest Survival Rates

By ThinkReliability Staff

October is Sudden Cardiac Arrest (SCA) Awareness Month.  In Northern America, more than 300,000 people are affected every year by out-of-hospital SCA, which occurs when the heart no longer beats properly.  According to the American Heart Association, about 92% of SCA victims die before reaching the hospital.

Survivability of SCA is dependent on the length of time between SCA and chest compressions that allow blood flow to the heart and brain.  This can be accomplished by non-medical personnel using Cardiopulmonary Resuscitation (CPR), known as “bystander CPR”, which can provide lifesaving treatment for a victim of SCA until medical personnel arrive.

In Denmark, the rate of patients who received bystander CPR in 2001 was 21.1%.  The country embarked on a national initiative to improve SCA survivability.  This initiative included increased training of residents as early as elementary school.  Instructional kits were provided, and learning CPR was required in order to receive a driver’s license.  The percent of patients who received bystander CPR increased from 2001 to 2010 to 44.9%.

In addition to the increased education of the general population about CPR, changes were made to improve care provided after SCA by hospitals and emergency medical services.  According to a study in the Journal of the American Medical Association, these changes together have improved the survivability of all stages after SCA.  From 2001 to 2010 in Denmark, cardiac arrest patients arriving at a hospital alive increased from 7.9% to 21.8%.  In addition, 30-day and 1-year survival also increased, from 3.5% to 10.8% and 2.9% to 10.2%, respectively.

Denmark’s initiative hopes to lessen the reluctance bystanders may have to perform CPR due to lack of training.  In addition, the American Heart Association recommended in 2008 that laypersons perform compression-only CPR (no breaths) if they are unable or unwilling to provide rescue breaths.  This may have also decreased the reluctance of bystanders to perform CPR due to concerns about spread of disease, or feeling uncomfortable giving rescue breaths.

Providing additional training to emergency medicine providers can also improve survivability.  Another recent study by the University of Arizona has found that improving the quality and effectiveness of CPR performed by emergency medicine providers improved survival rates.  In the study, rescuers were provided real-time feedback as to the quality of the CPR being provided, as well as training that emphasized a team approach.  Before these interventions, 26% of SCA victims survived to hospital discharge.  After the interventions, 56% of victims survived to discharge.

Although CPR dates back to 1740, improvements in availability and quality are still being found that can increase survivability of SCA victims.  Because of the importance in quick and effective action, the importance of action by non-medically-trained bystanders to the survival rate after SCA provides strong support for layperson CPR training.

To view the Outline and Cause Map including the cause-and-effect of the improvements to survival rate in Denmark as a result of interventions and improvements, please click “Download PDF” above.

New Prostate Cancer Tests Look Promising

By Kim Smiley

One in six American men will be affected by prostate cancer during their life making prostate cancer the most common non-skin cancer.  Despite the number of people impacted by this disease, screening and treating prostate cancer remains problematic and even controversial at times.

This issue can be analyzed by building a Cause Map, an intuitive format for performing a root cause analysis.  The first step in the Cause Mapping process is to fill in an Outline with the basic background information.  How the issue impacts the overall goals is also documented in the Outline.  In this example, there are several significant impacts that need to be considered.  The first is that it’s estimated that about 30,000 men will die from prostate cancer in the US in 2013.  The second major issue is that many men are treated unnecessarily for prostate cancer.  Unnecessary treatments are a waste of resources and the side effects cause significant suffering.  The next step of the Cause Mapping process is to build the actual Cause Map by asking “why” questions and laying out the causes visually to show the cause-and-effect relationships.  (To see a high level Cause Map for this issue, click on “Download PDF” above.)

One of the factors that leads to so many deaths from prostate cancer is that it is generally found at later stages.  Most patients have few symptoms with early stage prostate cancer and current screening methods for prostate cancer are far from perfect.  Conditions other than prostate cancer, such as enlarged prostates, can result in positives during blood tests for prostate cancer.   The positive indications of cancer then trigger needle biopsies in areas of the body no one wants biopsied.  Less than half of these follow up biopsies find cancer cells. Physical exams for prostate cancer are uncomfortable and usually only find larger cancers.  Additionally, many prostate cancers grow so slowly that they will not impact a patient’s life span and do not require treatment, but there is currently no test that can accurately determine whether a prostate cancer is dangerous.

This inability to distinguish between types of prostate cancer is what leads to so many being treated unnecessarily for prostate cancer.  Many patients opt for treatment once prostate cancer is found because they have no way of really knowing whether it’s safe to leave the cancer untreated.   But treatment is not without significant costs, both financially and in suffering.  Many of the prostate cancer treatments, such as radiation or surgery, can cause major side effects such as  incontinence or sexual dysfunction.  Most patients will willingly undergo treatment for life threatening cancers, but it’s terrible that some patients endure cancer treatments without need.

The final step in the Cause Mapping process is to find solutions.  In this example, the good news is that many researchers are working to develop better prostate cancer tests, which would rapidly lead to better patient care.   Better tests could save lives by finding prostate cancers earlier and could help reduce unnecessary treatment by identifying the more dangerous cancers.  A urine test for prostate cancer is now available that has been found to be more accurate than current screening methods.  Other research groups are working to develop other urine prostate tests with a focus on developing accurate, low cost tests that can be performed at home.  None of these tests are perfect yet, but they are a significant step in the right direction.