Transforming IT
Showing results for 
Search instead for 
Do you mean 

Are you on the Healthcare Security Wall of Shame?

TSchreider on ‎08-01-2014 07:34 AM

Healthcare.png

Did you know that you are seven times more likely to experience a healthcare-related data breach in Alaska versus Maine? Well neither did I. However, when I started looking a little closer at the HHS Wall of Shame portal, I saw what most everybody else sees, that California, Texas, Florida, New York and Illinois have the greatest number of reported data breaches. The most populous states have the most data breaches, big surprise right?

 

Right about now you are saying, "tell me something we do not know."  Well ok, I will. Therefore, I will don my medical scrubs, assume the role of Dr. Facts, and triage the data.  Well guess what, the initial diagnosis that the biggest states have the most data breaches is a little misleading.  It is true that they have the numbers; however, when you normalize the data using the number of hospitals in each state and then further normalize the data by the number of beds, you can see that data breaches on a per capita basis, of sorts, changes dramatically.

 

After normalization, our previous top five poster-child states for data breaches (California, Texas, Florida, New York and Illinois) drop dramatically lower on the list and are replaced by Alaska, Puerto Rico, Washington DC, Rhode Island and Washington. Now a little truth in data mining: not all data breaches occurred at hospitals, so why use that as a per capita baseline? The working assumption for this analysis is that hospitals would represent a reasonable baseline inasmuch as there is a proportionate number of clinics, pharmacies and doctor's offices associated with each hospital.

 

Next, let us examine the types of breaches that have occurred. As you can see, old-school physical theft and loss accounted for over 60 percent of the breaches, rather than the more glamorous hacking-oriented breaches.

 

Picture1.png

 

Just where are these breaches occurring within the attack surface of the organizations? The following will give you some insight.

 

Picture2.png

 

Based on this analysis, what can we prescribe to vaccinate ourselves from similar events? The list below would be a great start:

 

  • Physically protect laptops and servers from theft.

  • Encrypt all laptops and servers with PII.

  • Train personnel on data custody and handling.

  • Dispose of electronic equipment properly.

I cannot emphasize the disposal aspect enough. In one case, a large Health Plan paid a fine of over $1 million when it was learned that a photocopier leased by the company was returned upon its lease expiration containing over 300,000 patient records on its hard drive. Ouch! 

 

If you want a second opinion on your data and media disposal practices, checkout HP's Asset Recovery services. I would also like to hear from you on your treatment plan for protecting your organization's private health information, so drop me a line.

 

0 Kudos
About the Author

TSchreider

Tari is a Distinguished Technologist with 30 years of IT and cyber security experience. He is dual board certified in information security/business continuity and is responsible for a wide range of management and technology consulting services encompassing information security, disaster recovery, privacy, and risk management. His problem-solving skills, knowledge of various technology platforms, compliance statutes, industries, as well as his experience in deploying defense-in-depth and InfoSec Program solution architectures is commonly applied when advising CIOs/CISOs as well as leveraged in numerous HP client engagements throughout the world. Tari has designed, built, and managed some of the world’s largest InfoSec programs allowing them to defend against even the most aggressive attackers.

Labels
Events
Each Month in 2016
Online
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
Sep 30
Seattle, WA
OpenStack Days Seattle
OpenStack Days Seattle, September 30, is the largest gathering of OpenStack users and prospective users in the Pacific Northwest region.
Read more
View all