Transforming IT
Showing results for 
Search instead for 
Did you mean: 

Are you on the Healthcare Security Wall of Shame?



Did you know that you are seven times more likely to experience a healthcare-related data breach in Alaska versus Maine? Well neither did I. However, when I started looking a little closer at the HHS Wall of Shame portal, I saw what most everybody else sees, that California, Texas, Florida, New York and Illinois have the greatest number of reported data breaches. The most populous states have the most data breaches, big surprise right?


Right about now you are saying, "tell me something we do not know."  Well ok, I will. Therefore, I will don my medical scrubs, assume the role of Dr. Facts, and triage the data.  Well guess what, the initial diagnosis that the biggest states have the most data breaches is a little misleading.  It is true that they have the numbers; however, when you normalize the data using the number of hospitals in each state and then further normalize the data by the number of beds, you can see that data breaches on a per capita basis, of sorts, changes dramatically.


After normalization, our previous top five poster-child states for data breaches (California, Texas, Florida, New York and Illinois) drop dramatically lower on the list and are replaced by Alaska, Puerto Rico, Washington DC, Rhode Island and Washington. Now a little truth in data mining: not all data breaches occurred at hospitals, so why use that as a per capita baseline? The working assumption for this analysis is that hospitals would represent a reasonable baseline inasmuch as there is a proportionate number of clinics, pharmacies and doctor's offices associated with each hospital.


Next, let us examine the types of breaches that have occurred. As you can see, old-school physical theft and loss accounted for over 60 percent of the breaches, rather than the more glamorous hacking-oriented breaches.




Just where are these breaches occurring within the attack surface of the organizations? The following will give you some insight.




Based on this analysis, what can we prescribe to vaccinate ourselves from similar events? The list below would be a great start:


  • Physically protect laptops and servers from theft.

  • Encrypt all laptops and servers with PII.

  • Train personnel on data custody and handling.

  • Dispose of electronic equipment properly.

I cannot emphasize the disposal aspect enough. In one case, a large Health Plan paid a fine of over $1 million when it was learned that a photocopier leased by the company was returned upon its lease expiration containing over 300,000 patient records on its hard drive. Ouch! 


If you want a second opinion on your data and media disposal practices, checkout HP's Asset Recovery services. I would also like to hear from you on your treatment plan for protecting your organization's private health information, so drop me a line.


  • Asset Recovery
  • Breaches
  • data
  • disposal
  • Doctors
  • health care
  • healthcare
  • hipaa
  • Hospitals
  • media
  • Medicine
  • Security
0 Kudos
About the Author


Tari is a Distinguished Technologist with 30 years of IT and cyber security experience. He is dual board certified in information security/business continuity and is responsible for a wide range of management and technology consulting services encompassing information security, disaster recovery, privacy, and risk management. His problem-solving skills, knowledge of various technology platforms, compliance statutes, industries, as well as his experience in deploying defense-in-depth and InfoSec Program solution architectures is commonly applied when advising CIOs/CISOs as well as leveraged in numerous HP client engagements throughout the world. Tari has designed, built, and managed some of the world’s largest InfoSec programs allowing them to defend against even the most aggressive attackers.

June 6 - 8, 2017
Las Vegas, Nevada
Discover 2017 Las Vegas
Join us for HPE Discover 2017 in Las Vegas. The event will be held at the Venetian | Palazzo from June 6-8, 2017.
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all