Another day, another breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthcareitnews.com/blog/another-day-another-breach

Today, patient data resides everywhere – desktops, laptops, smartphones,
tablets and USB drives. Understandably so – given the rise of mobile
computing and bring-your-own-device (BYOD) policies in healthcare, the once
straightforward process of protecting patient’s private health information
has since evolved into a complex and overwhelming undertaking. Gone are the
days where personal health information lived solely in giant filing cabinet.

When we refer to personal health information at risk, we’re not just
talking about historical health records – the potential for a data breach
casts a much wider net, including patient billing information, clinical
trial data and even employee information like payroll numbers. With so much
sensitive, unprotected data up for grabs, we’re inclined to ask ourselves
–why? Why does this keep happening, and what can we do to fix it?

Think of it this way - according to a recent study, 81 percent of
healthcare organizations are now allowing employees and medical staff to
use their personal laptops and mobile devices to connect to provider
networks or access company email.  Interestingly enough, the same study
found that of that 81 percent of healthcare institutions enabling a BYOD
strategy, 54 percent did not believe that those devices were secure enough
in the workplace. 65 percent of data breaches reported to the Ponemon
Institute occurred on laptops and mobile devices over the last 5 years.
With these kinds of statistics, it’s really no wonder that more than half
of those surveyed aren’t confident in the security of their devices, right?

Below are the top 3 gaping security holes in remote healthcare data
practices that are answering our question of why this rise in breaches is
happening:

Ignorance of Government Regulations

According to a recent report, HIPAA data breaches have increased by 138
percent since 2009. It’s easy to get caught up in the hype around
compliance and regulation, but ultimately you can end up missing the bigger
picture of what is trying to be accomplished. Regulations aside, healthcare
CIOs and CSOs need to ensure that they are still performing a
comprehensive, thorough analysis of their security infrastructure.
Furthermore, compliance is technically a one-time snapshot or status of
where things stand – or should stand. Given the fluidity of IT and the
continually emerging threats and vulnerabilities, simply focusing on
compliance alone is short-sighted and can end up creating a false sense of
security that your mobile systems and information are truly secure.

Inadequate Resources & Budgeting Allocations

According to a recent study from Cisco, 63 percent of healthcare
institutions do not feel that they have the sufficient resources to defend
against a security breach. The same study found that 66 percent of
healthcare institutions did not feel that their security financial budgets
were sufficient with what capabilities are needed.

CIOs and CSOs don’t have the luxury of waiting until the time is just right
to invest in data security technology. Data is sensitive, especially that
within the healthcare industry. Leaders in this space must start
incorporating better practices when it comes to protecting patient data.

Internal Employee Negligence

Mistakes happen, we’re all human. Unfortunately, the repercussion of human
error like negligence continues to top the list for causes in data
breaches.  Examples of employee negligence can range from misplacing a USB
with stored private patient health information to accidently leaving a
laptop in a public place. Encryption is the only failsafe way to ensure
that private health information is not compromised if a device has been
lost or stolen.

Fighting Back

As we mentioned earlier, patient data is everywhere – mobile devices,
laptops, desktops and even medical devices like wireless heart pumps and
mammogram imaging tools. Health data has evolved into a matrix of
interrelated data, flowing from patients/customers to physicians,
diagnostic clinicians, pharmacists and medical insurance billing
specialists, among others. The industry as a whole must look beyond simple
data security/compliance and towards a holistic security program that
fosters a long-term data security strategy. The most effective and
comprehensive strategies are centered on protecting actual data and not
just the device – however, it’s equally important to allow for ease-of-use
and accessibility.

As we look ahead, managing information risk is more than just addressing
the checkbox items.  Healthcare CIOs and CSOs need to first understand what
kind mobile and remote solutions they have at hand, how these devices are
putting private health information at risk and what can be done to remain
secure.

We recommend that data is encrypted on both at-rest and mobile devices.
Encryption needs to be transparent enough for IT admins working
behind-the-scenes to be able to integrate the capability across platforms
seamlessly, and offer no disruption to the end-user experience. It’s
important to remember that as important as data security is in the
healthcare industry, accessibility and providing the ultimate patient care
is top of mind for providers.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!