167 large health data breaches noted in U.S.
WASHINGTON, D.C. – Some 167 major
health information breaches, at hospitals and medical organizations
across the country, were posted on the U.S. government’s breach list at
the end of 2010.
The Department of Health and Human Services’ Office for Civil Rights
began posting incidents to its breach list on Feb. 22 2010 for cases
dating back to Sept. 22, 2009. The office tracks cases affecting 500 or
more individuals. Of the breaches reported so far, 47 occurred in 2009
and 167 in 2010.
The tally, mandated under the HITECH Act, has served as an eye-opener,
making many healthcare organizations much more aware of their security
risks. Fear of bad publicity from reporting a security incident is also
proving to be a powerful motivator for breach prevention. “We need to
get more vigilant,” notes Charles Christian, CIO at Good Samaritan
Hospital in Vincennes, Ind. His hospital is updating its risk assessment
and investing in several new technologies aimed at preventing breaches.
The breach list also has called attention to the No. 1 threat: The loss
or theft of unencrypted computer devices, which account for 57 percent
of all incidents so far. And roughly 27 percent of the major breaches
involve the theft or loss of a laptop.
The HITECH breach notification rule includes a “safe harbor” that
exempts the reporting of breaches of information that was encrypted
using a specified standard.
“The most immediate issue for most healthcare organizations is
encrypting laptops,” Kate Borten, president of the Marblehead Group,
told Healthcare InfoSecurity. “Getting less attention, but still
important, is the issue of encrypting backup tapes and disks stored
offsite. But once laptops and backups are encrypted, the harder
challenge is securing other portable devices and media, such as smart
phones and USB drives. I see this as the next major challenge, and I
believe it will be the major pain point for years to come.”
Thanks to the federal breach list, hospitals are now paying much closer
attention to the potential high cost of dealing with breaches, says
Richard Jankowski, information security officer at Memorial
Sloan-Kettering Cancer Center in New York. “It gives organizations a lot
of justification for spending money on encryption.”
Sloan-Kettering has encrypted all its laptops. In 2011, it will encrypt
thumb drives, as well as sensitive information in back-end databases as
part of its ongoing breach prevention campaign, Jankowski explains.
Posted January 13, 2011