A thousand incidents and counting, the federal health breach tally hits an all-time high, now listing 1,010 major breaches reported since federal regulators started to track them in September 2009 after the HITECH Act came into effect. These breaches have together affected 31.5 million individuals. The noteworthy fact is that out of these, more than half the number of individuals affected, that is, about 18.4 million individuals were affected by 10 of the largest breaches.
While these 10 breaches have been listed on the ‘Wall of Shame’ website, one common cause has been identified in all these breaches – theft/loss of unencrypted computing devices or storage media. It has been noted that lack of encryption has accounted for nearly half of all major breaches in the federal tally. Although the importance of encryption has been stressed by experts time and again, a considerable number of healthcare entities and their associates are yet to encrypt their data.
Security experts believe that while encryption is one of the fundamental steps to be taken by every healthcare organization, lack of encryption is not the only security deficiency that worries them. Unencrypted data is often just a sign of deeper security deficiencies that need to be addressed. Experts also believe that failing to encrypt is a bad management decision and not just a security mistake,such as not identifying where data resides or what security risks surround the data.
Several healthcare entities also fail to manage user access efficiently. All this points to the fact that these entities are not practicing security fundamentals, and that they are making fragmented efforts without formally integrating security essentials and aligning them with risk functions in the organization. The lack of an effective risk assessment process and frequent failure to identify internal and external threats and vulnerabilities can also be attributed to the absence of security fundamentals.
What have these security breaches taught us?
There are a few valuable lessons to learn from every information security breach that has been reported so far:
- Every breach is completely avoidable if basic security practices are in place
- Most breaches are not high-end sophisticated attacks but merely result from lapses of judgment and sound application of security measures
- Simple deviations from good security practices can have major consequences for the business
- Encryption of data is of primary importance, and can come a long way in mitigating risks to information
- Business associates have been responsible for some of the largest breach incidents, and are directly liable for HIPAA compliance just like all covered entities. Hence ensuring that data processed by business associates and subcontractors is well-protected, is critical.
What should healthcare entities do?
- Define security policies and standards clearly, and ensure they are being executed as intended
- Establish well-defined ownership and accountability for all security practices, improve poor practices and drive improvements where gaps are identified
- Train employees adequately and help them understand the need to protect the privacy of patients’ health information
- Adopt a comprehensive security solution such as Aegify Security Posture Management or Aegify SecureGRC that can considerably simplify security processes and compliance, while mitigating risks and adequately protecting health data.