box10.gif (1299 bytes)








167 large health data breaches noted in U.S. in 2010

WASHINGTON, D.C. – Some 167 major health information breaches, at hospitals and medical organizations across the country, were posted on the U.S. government’s breach list at the end of 2010.

The Department of Health and Human Services’ Office for Civil Rights began posting incidents to its breach list on Feb. 22 2010 for cases dating back to Sept. 22, 2009. The office tracks cases affecting 500 or more individuals. Of the breaches reported so far, 47 occurred in 2009 and 167 in 2010.

The tally, mandated under the HITECH Act, has served as an eye-opener, making many healthcare organizations much more aware of their security risks. Fear of bad publicity from reporting a security incident is also proving to be a powerful motivator for breach prevention. “We need to get more vigilant,” notes Charles Christian, CIO at Good Samaritan Hospital in Vincennes, Ind. His hospital is updating its risk assessment and investing in several new technologies aimed at preventing breaches.

The breach list also has called attention to the No. 1 threat: The loss or theft of unencrypted computer devices, which account for 57 percent of all incidents so far. And roughly 27 percent of the major breaches involve the theft or loss of a laptop.

The HITECH breach notification rule includes a “safe harbor” that exempts the reporting of breaches of information that was encrypted using a specified standard.

“The most immediate issue for most healthcare organizations is encrypting laptops,” Kate Borten, president of the Marblehead Group, told Healthcare InfoSecurity. “Getting less attention, but still important, is the issue of encrypting backup tapes and disks stored offsite. But once laptops and backups are encrypted, the harder challenge is securing other portable devices and media, such as smart phones and USB drives. I see this as the next major challenge, and I believe it will be the major pain point for years to come.”

Thanks to the federal breach list, hospitals are now paying much closer attention to the potential high cost of dealing with breaches, says Richard Jankowski, information security officer at Memorial Sloan-Kettering Cancer Center in New York. “It gives organizations a lot of justification for spending money on encryption.”

Sloan-Kettering has encrypted all its laptops. In 2011, it will encrypt thumb drives, as well as sensitive information in back-end databases as part of its ongoing breach prevention campaign, Jankowski explains.


Posted January 13, 2011