Transforming IT
Showing results for 
Search instead for 
Do you mean 

Are you on the Healthcare Security Wall of Shame?

TSchreider on ‎08-01-2014 07:34 AM


Did you know that you are seven times more likely to experience a healthcare-related data breach in Alaska versus Maine? Well neither did I. However, when I started looking a little closer at the HHS Wall of Shame portal, I saw what most everybody else sees, that California, Texas, Florida, New York and Illinois have the greatest number of reported data breaches. The most populous states have the most data breaches, big surprise right?


Right about now you are saying, "tell me something we do not know."  Well ok, I will. Therefore, I will don my medical scrubs, assume the role of Dr. Facts, and triage the data.  Well guess what, the initial diagnosis that the biggest states have the most data breaches is a little misleading.  It is true that they have the numbers; however, when you normalize the data using the number of hospitals in each state and then further normalize the data by the number of beds, you can see that data breaches on a per capita basis, of sorts, changes dramatically.


After normalization, our previous top five poster-child states for data breaches (California, Texas, Florida, New York and Illinois) drop dramatically lower on the list and are replaced by Alaska, Puerto Rico, Washington DC, Rhode Island and Washington. Now a little truth in data mining: not all data breaches occurred at hospitals, so why use that as a per capita baseline? The working assumption for this analysis is that hospitals would represent a reasonable baseline inasmuch as there is a proportionate number of clinics, pharmacies and doctor's offices associated with each hospital.


Next, let us examine the types of breaches that have occurred. As you can see, old-school physical theft and loss accounted for over 60 percent of the breaches, rather than the more glamorous hacking-oriented breaches.




Just where are these breaches occurring within the attack surface of the organizations? The following will give you some insight.




Based on this analysis, what can we prescribe to vaccinate ourselves from similar events? The list below would be a great start:


  • Physically protect laptops and servers from theft.

  • Encrypt all laptops and servers with PII.

  • Train personnel on data custody and handling.

  • Dispose of electronic equipment properly.

I cannot emphasize the disposal aspect enough. In one case, a large Health Plan paid a fine of over $1 million when it was learned that a photocopier leased by the company was returned upon its lease expiration containing over 300,000 patient records on its hard drive. Ouch! 


If you want a second opinion on your data and media disposal practices, checkout HP's Asset Recovery services. I would also like to hear from you on your treatment plan for protecting your organization's private health information, so drop me a line.


About the Author


Tari is a Distinguished Technologist with 30 years of IT and cyber security experience. He is dual board certified in information security/business continuity and is responsible for a wide range of management and technology consulting services encompassing information security, disaster recovery, privacy, and risk management. His problem-solving skills, knowledge of various technology platforms, compliance statutes, industries, as well as his experience in deploying defense-in-depth and InfoSec Program solution architectures is commonly applied when advising CIOs/CISOs as well as leveraged in numerous HP client engagements throughout the world. Tari has designed, built, and managed some of the world’s largest InfoSec programs allowing them to defend against even the most aggressive attackers.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
1-3 December 2015
Discover 2015 London
Discover 2015 in London, the ultimate showcase technology event for business and IT professionals to learn, connect, and grow.
Read more
November 2015
Software Online Expert Days
Join us online to talk directly with our Software experts.
Read more
View all