CSO - Protected health information (PHI) is apparently not so well protected.
According to "Breach Report 2011: Protected Health Information" by the IT security firm Redspin, 19 million patient health records were breached last year, a 97-percent increase from 2010.
One obvious reason for the spike, according to the report, is simply that PHI is increasingly digitized. As Redspin President and CEO Daniel W. Berger put it, instead of a person sneaking out of a medical office with 30 patient files, it is now possible to steal millions of records at a time.
Indeed, while the most breaches occurred in the most populous states, like California, Texas, New York, Florida and Illinois, the number of records compromised had more to do with the information being held on unsecured storage devices<./a>.
Nearly all of almost 5 million individual records compromised in Virginia were from a single breach, which happened when data on backup tapes were stolen from the car of a Tricare employee.
There are other reasons as well -- among them the rapid increase in portable devices and media being used in health care, coupled with a lack of security protocols and a lack of sophisticated fraud detection systems. Berger says federal regulations so far don't even require PHI to be encrypted when it is on transportable devices. In short, once files are stolen, they are exposed.
But perhaps most significant is that health records can be a financial mother load for thieves.
PHI data, "is much more valuable than credit card information," Berger says. "It often includes deeper data: name, address, Social Security Number, diagnosis codes, insurance information, personal medical history etc."
That depth of data, "makes general impersonation more believable," he says. "Most importantly, once such a record is breached, it is potentially 'in the wild' forever, unlike credit card numbers, which can simply be changed."
And it can provide access to, "multiple types of fraud, including insurance fraud, prescription drug theft, etc."
The porous security of PHI does not seem to be for lack of spending. The Princeton, N.J-based consulting firm The Boyd Company has estimated that spending on health data security will hit $40 billion this year and climb to $70 billion by 2015 -- much of that to meet government compliance standards.
Berger believes that is because security in health care is viewed more as a project than a process, and so far is not making those records more secure.
"The adoption of electronic health records has been spurred by billions of dollars of government incentives. Yet, while HIPAA/HITECH require security policies, controls and other protections, enforcement of these measures has been lacking in many respects," he says.
But, of course, risks to healthcare organizations for PHI breaches go far beyond penalties imposed by federal regulators. They could include costs of restitution, legal fees, media relations, brand damage, and exposure to class-action lawsuits.
"Electronic health records provide the largest efficiency gain per dollar spent, but ensuring their security is the only way to realize that gain. Otherwise data breach costs will undermine the economics and erode patient confidence," Berger says.
Read more about pci and compliance in CSOonline's PCI and Compliance section.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Top tips for securing big data environments - Why big data doesn't have to mean big security challenges Organizations don't have to feel overwhelmed when it comes to securing big data environments. The same security fundamentals for securing databases, data warehouses...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- Three guiding principles for data security and compliance Data security is a moving target-as data grows, more sophisticated threats emerge; the number of regulations increase; and changing economic times make it...
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva.
- How SIEM Addresses the Challenges of Big Security Data This webcast will help you understand today's big data security challenges and how intelligent and scalable SIEM solutions give IT the tools and... All Data Security White Papers | Webcasts