Transforming IT
Showing results for 
Search instead for 
Did you mean: 

Are you on the Healthcare Security Wall of Shame?



Did you know that you are seven times more likely to experience a healthcare-related data breach in Alaska versus Maine? Well neither did I. However, when I started looking a little closer at the HHS Wall of Shame portal, I saw what most everybody else sees, that California, Texas, Florida, New York and Illinois have the greatest number of reported data breaches. The most populous states have the most data breaches, big surprise right?


Right about now you are saying, "tell me something we do not know."  Well ok, I will. Therefore, I will don my medical scrubs, assume the role of Dr. Facts, and triage the data.  Well guess what, the initial diagnosis that the biggest states have the most data breaches is a little misleading.  It is true that they have the numbers; however, when you normalize the data using the number of hospitals in each state and then further normalize the data by the number of beds, you can see that data breaches on a per capita basis, of sorts, changes dramatically.


After normalization, our previous top five poster-child states for data breaches (California, Texas, Florida, New York and Illinois) drop dramatically lower on the list and are replaced by Alaska, Puerto Rico, Washington DC, Rhode Island and Washington. Now a little truth in data mining: not all data breaches occurred at hospitals, so why use that as a per capita baseline? The working assumption for this analysis is that hospitals would represent a reasonable baseline inasmuch as there is a proportionate number of clinics, pharmacies and doctor's offices associated with each hospital.


Next, let us examine the types of breaches that have occurred. As you can see, old-school physical theft and loss accounted for over 60 percent of the breaches, rather than the more glamorous hacking-oriented breaches.




Just where are these breaches occurring within the attack surface of the organizations? The following will give you some insight.




Based on this analysis, what can we prescribe to vaccinate ourselves from similar events? The list below would be a great start:


  • Physically protect laptops and servers from theft.

  • Encrypt all laptops and servers with PII.

  • Train personnel on data custody and handling.

  • Dispose of electronic equipment properly.

I cannot emphasize the disposal aspect enough. In one case, a large Health Plan paid a fine of over $1 million when it was learned that a photocopier leased by the company was returned upon its lease expiration containing over 300,000 patient records on its hard drive. Ouch! 


If you want a second opinion on your data and media disposal practices, checkout HP's Asset Recovery services. I would also like to hear from you on your treatment plan for protecting your organization's private health information, so drop me a line.


0 Kudos
About the Author


Tari is a Distinguished Technologist with 30 years of IT and cyber security experience. He is dual board certified in information security/business continuity and is responsible for a wide range of management and technology consulting services encompassing information security, disaster recovery, privacy, and risk management. His problem-solving skills, knowledge of various technology platforms, compliance statutes, industries, as well as his experience in deploying defense-in-depth and InfoSec Program solution architectures is commonly applied when advising CIOs/CISOs as well as leveraged in numerous HP client engagements throughout the world. Tari has designed, built, and managed some of the world’s largest InfoSec programs allowing them to defend against even the most aggressive attackers.

28-30 November
Madrid, Spain
Discover 2017 Madrid
Join us for Hewlett Packard Enterprise Discover 2017 Madrid, taking place 28-30 November at the Feria de Madrid Convention Center
Read more
HPE at Worldwide IT Conferences and Events -  2017
Learn about IT conferences and events  where Hewlett Packard Enterprise has a presence
Read more
View all