BreachExchange mailing list archives

Hospitals seeing more patient data breaches

From: blitz <blitz () ken-ton net>
Date: Mon, 23 Apr 2012 16:51:08 -0400

Yeah, put that sensitive data in one of the Mickey-Mouse clouds....
Its always been about making that very data easy to steal, part of the
police-state spying.

When my doctor wrote down information on a piece of paper in my file, it got locked up at night.
NO such assurances are there today. You buy HIPPA compliant software, and some nurse-aid who doesn't know anything about
computers and has a password of "nurse" is supposed to protect it. Right.
Expect this trend to mushroom.

<http://www.networkworld.com/news/2012/041312-hospital-data-breaches-258270.
html>
http://www.networkworld.com/news/2012/041312-hospital-data-breaches-258270.h
tml

Survey says breach problems originate from mobile devices more often

By Ellen Messmer <http://www.networkworld.com/Home/emessmer.html> , Network
World
April 13, 2012 02:17 PM ET

.
<http://www.networkworld.com/news/2012/041312-hospital-data-breaches-258270.
html#disqus_thread> 4 Comments

. Print

. <http://www.networkworld.com/?source=tbbookwtpop_nww> What's this?

A bi-annual survey of 250 healthcare organizations shows that the percentage
experiencing a patient data breach is up. And with the growth in electronic
records-keeping, more of those problems are originating from laptops and
mobile devices rather than a human slip-up in handling paper documents.

"Use of new technologies, in particular mobile devices in the workplace,
have skyrocketed, creating new operational efficiencies and security
vulnerabilities," noted the survey report, entitled the "2012 HIMSS
Analytics Report: Security of Patient Data." The organization Healthcare
Information and Management Systems Society
<http://www.himssanalytics.org/home/index.aspx> also pointed out, "As
mobile devices proliferate in exam rooms and administrative areas, so do the
associated vectors of potential attack. Adding to this are the risks from
employee negligence and organizational policies that have not kept pace with
ever-changing technology."

Related Content

The survey, commissioned by Kroll Advisory Solutions, asked chief
information officers, health information managers, chief privacy officers
and chief security officers working at 250 hospitals and medical centers
about the number of data breaches
<http://www.networkworld.com/slideshows/2011/062211-data-breach.html> they
knew about over the past 12 months.

The survey found 27% of the respondents had at least one security breach
over the past year, up from 19% in 2010 and 13% in 2008. The survey found
79% were attributed to employees, while most others were chalked up to
actions from outsourced or contract employees. Over half of the problems
were identified as "unauthorized access to information," typically the
patient's name and birth date, by an individual.

While misuse of paper records, including their "improper destruction," was
blamed over 40% of the time, the survey did show that computer-based
security issues are multiplying fast, with the source of data attributed to
actions or loss related to a laptop or handheld device about 22% of the
time, up from 11% in 2010. Problems with data breaches related to
third-party vendors storing healthcare data is also growing, reported this
year at 10%, up from 6% in 2010. In contrast, network breaches attributed to
outside attacks was about 3%.

The report says 31% of respondents indicated that information available on a
portable device was among the factors most likely to contribute to the risk
of a breach, up from 20% that said that in 2010 and 4% in 2008. Twenty-two
percent of the respondents reporting a breach said the data was compromised
when a laptop, handheld device or computer hard drive was lost or stolen,
which is double the number who said this in 2010.

The report says the vast majority of healthcare institutions conduct formal
risk analysis, relying mainly on federal guidelines such as CMS Meaningful
Use requirements
<http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentiveProgram
s/index.html?redirect=/ehrincentiveprograms> and the National Institute of
Standards and Technology. The goal is to comply with the mandates of the
American Recovery and Reinvestment Act of 2009
<http://www.recovery.gov/Pages/default.aspx> , which includes funding for
healthcare records, and the HITECH Act, which contains penalties for
security lapses related to misuse of patient healthcare information
<http://www.networkworld.com/news/2009/102909-hitech-act.html> .

The report says almost all the survey's respondents had taken steps to
prepare their hospitals and medical centers for a possible federally-run
Office of Civil Rights HIPAA audit. <http://www.hhs.gov/ocr/privacy/> Four
percent had been audited and 90% in this case indicated they'd try to
prepare better in the future. Two percent of all respondents said their
organization had been fined as a result of a HIPAA violation.

Ellen Messmer is senior editor at Network World, an IDG publication and
website, where she covers news and technology trends related to information
security.

_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.

Current thread:

Hospitals seeing more patient data breaches blitz (Apr 30)