“Data,” according to PriceWaterhouseCoopers, “is quickly becoming one of the health industry’s most treasured commodities. In just the last year and a half, a breach of personal health information occurred, on average, every other day. Breaches erode productivity and patient trust, are costly, unpredictable, and unfortunately quite common.” The consultancy’s Old data learns new tricks: Managing patient security and privacy on a new data-sharing playground describes those “new tricks” for healthcare’s “new playground.”
Debra Beaulieu in FiercePracticeManagement in a brief from an American Medical News report, writes- “The biggest security threat to your patients' health information isn't malicious hackers, as some practices might think, but rather simple carelessness among your staff.”
“A recent $1 million fine against Massachusetts General Hospital after an employee inadvertently left a stack of papers on a subway car teach us that they can have serious consequences.”
"Humans truly are the biggest vulnerability within an organization with regard to security and privacy," said Rebecca Herold, a privacy and data security consultant based in Iowa.
“A February report from accounting firm Kaufman, Rossin & Co. found, for example, that practices and hospitals are most likely to experience a breach because of an employee losing a thumb drive, mobile device or paperwork, American Medical News reports.”
“To avoid these risks, practices need to be aware of the multiple places where their information is stored and how it flows throughout the organization, regardless of whether it is on paper or electronic, Jorge Rey, an information and IT audit manager for Kaufman, Rossin & Co. told Amednews.
Separately, in an American Medical News Technically Speaking article “How to ensure a lost mobile device won’t cause a data breach,” Pamela Lewis Dolan observed “With an estimated 80% of physicians using a mobile device on the job, a lot of patient data is vulnerable to breaches unless steps are taken to protect it. Data encryption is the one thing that protects physicians from having to report a breach if data go missing.”
Ms. Dolan identifies several steps providers can take to secure data on mobile devices, including-
- picking the right device by explaining to the mobile device vendor exactly what you will use the phone for and what you need to have encrypted using an encryption app and
- providers should not assume that data on a cloud-based app are safe.”
“In most cases, breaches happen not because people have malicious intents. ‘The real lesson,’ Kevin Haley, director of product management at Symantec Security Response, said, ‘is that people are not evil, but curious. So we really need to protect this data.’”
CSO Security and Risk reported in Healthcare security needs a booster shot, “theft of records accounted for 66 percent of reported health data breaches during the previous two years. Also, just over one-third of hospitals and physician groups reported cases of medical identity theft. And 54 percent of health organizations reported at least one issue with information privacy and security over the past two years.”
“Pete Lindstrom, research director at Spire Security warned- ‘The industry is exposing the data to the world and making more complex apps, and they're getting hacked as a result.’"
“As one would suspect, commonly it's insider improper use of protected health information, with 40 percent of providers saying that has happened in their organization during the 24 months prior to the survey.”
Apparently establishing and maintaining healthcare data security are not mere “the sky is falling!” or “cry wolf!” problems. On Mar 28 2012, SiloBreaker linked to a WSJ.com Video – News report FBI Cyber Chief: U.S. Losing War Against Hackers. “We're not winning," FBI executive assistant director Shawn Henry said. “An organization must monitor its data system with the assumption that you have already been breached.”
“The capabilities of hackers with the software tools at their disposal too-often make them more successful at getting data than the people who are paid to prevent unauthorized access to data.”