In April the FBI issued an alert to health care organizations warning that they were not as secure as they think they are.
The biggest vulnerability was the perception of IT health care professionals’ beliefs that their current perimeter defenses and compliance strategies were working when clearly the data states otherwise.
This week California Attorney General Kamala Harris issued her second data breach report and said that if two huge breaches of retail data were not counted that health care would have been number one of all industries breached. The report stressed that encrypting data is the best deterrent to implement.
If the Target and LivingSocial breaches were removed from the data set, health care breaches would rank first in the number of records affected.
The California report included evidence that hacking is less of a threat to health care than losing devices containing Protected Health Information (PHI.)
Unlike other industry sectors, where computer intrusions caused the majority of breaches, in health care 70 percent of breaches reported in the past two years were the result of stolen or lost hardware or digital media containing unencrypted personal information.
Bluntly, the California Attorney General tells medical practices they owe it to their patients to encrypt data.
Nearly half of the health care breaches were desktops and laptops that were stolen not from employees’ homes or cars, but from the workplace. Breaches of this type are preventable. An affordable solution is widely available – full disk strong encryption, to the standard set by the National Institute of Standards and Technology. This is a lesson that must be learned by the health care industry and applied not only to laptops and portable media as we recommended in last year’s report, but also to computers in offices.
The desktop computer in an office can be encrypted when shut down at night and decrypted in the morning. If someone should break in after hours and steal the computer, the data on it would not be accessible. Even small practices that lack full-time information security and IT staff can do this. They owe it to their patients to do it now.
On January 1, 2015, California’s new AB 1710 data breach law will require any business that loses Social Security or Drivers’ License numbers to pay for the victims’ credit monitoring for one year. Medical records often contain this information. At roughly $ 100 per record, if you lose 20,000 patient records you will have to pay $ 2 million just in credit monitoring fees, not counting notification costs, penalties, legal fees, and any loss of business.
In both the 2012 and 2014 data breach reports the Attorney General called for legislation requiring encryption.
To be effective, full disk encryption of all portable devices and media is preferable to protecting only those known to be used for sensitive information or to allowing users to choose what data to encrypt on the devices. We recommend amending current California law to require the use of encryption to protect personal information on portable devices and media and in email.
Don’t think California’s laws affect you? The report points out that California’s “landmark breach notification law… has served as a model for 47 other states as well as for jurisdictions around the world.”
Need help understanding encryption? Want to know what is really going on with the security of patient data? Ask us about the surprises we have found in medical practices, hospitals, and with their Business Associates.