The report revealed that physical breaches involving stolen/lost unencrypted devices were larger and affected more number of people on an average. The law, requiring state agencies to report breaches involving more than 500 individuals, was enacted in California for the first time in 2012, and the state’s Attorney General Kamala. D. Harris recently issued the first public report detailing the breaches. Announcing the report, Harris said that data breaches are a serious threat to privacy, finances and personal security.

Encrypting digital personal information is the key to privacy and security, according to Harris, who said that encryption could have prevented defaulting organizations from putting over 1.4 million Californians at risk. However, it is noteworthy that California is not the only place where breaches involving unencrypted devices are reported. Over the past few years, the infamous ‘Wall of Shame’ in the US Department of Health and Human Services has seen a number of breaches involving unencrypted data, and most commonly mobile devices.

The breach report reveals that failure to protect physical information assets was the major cause of these breaches, affecting 40,223 people on an average. This is further proven by the fact that two of the five largest breaches, namely the breach at California Department of Social Services involving loss of a computer storage device, and the breach at Emory Healthcare involving missing storage disks, were in the ‘physical’ unencrypted category.

Although healthcare providers were involved in a few larger breaches in the state of California, the retail industry topped the list with 34 breaches, which is 26% of the total number of breaches. This was followed by the finance and insurance sector with 30 breaches, or 23% of the total. Healthcare came third with 19 breaches representing 15% of the total.

This report however offers certain key takeaways. Firstly, healthcare entities should know that encryption is a must, and that one good reason to get the encryption program started soon is the HIPAA Omnibus Rule, which necessitates encryption. Covered entities should remember that non-compliance under the HIPAA Omnibus rule can attract penalties up to $1.5 million per violation, and that the compliance deadline is September 23rd, which is just two months away.

The Attorney General’s report makes it obvious that enforcement related to encryption would be one of the top priorities of the office, and acts as a warning to healthcare entities about how to keep their names out of the breach totals for the coming year. Aegify Security Posture Management or Aegify SecureGRC can prove valuable at this point, by helping organizations prioritize their compliance initiatives and offering a framework of best practices to achieve compliance with the HIPAA Omnibus Rule.

The post Unencrypted Data- An Ongoing Problem appeared first on Aegify.

It should be noted that since September 2009, when federal regulators began tracking major health information breaches, nearly 54 percent breach incidents have involved the loss or theft of unencrypted devices or storage media. Despite strict regulations enforcing the need to encrypt data, several organizations are yet to take encryption seriously. Many devices containing patient health information continue to be unencrypted due to misperceptions about the cost of encryption and potential impact on system performance. Also, in most cases the theft or loss of devices is related to negligence or carelessness of employees and the lack of awareness about security risks. While federal authorities continue to enforce HIPAA regulations with huge penalties and strict action, healthcare entities have to take necessary steps towards the protection of patient data.

The encryption provisions in Stage 2 of the HITECH Act EHR incentive program are expected to cut down the possibility of breaches since these regulations necessitate automated encryption of data stored on end-users’ devices.

However, at present the crux of the problem seems to lie in the misconceptions associated with encryption. Charles Christian, the CIO of Good Samaritan Hospital in Evansville, Ind., is of the opinion that breaches involving unencrypted devices are common partly because healthcare providers who do not have sufficient resources are hesitant to invest in encryption as they think that encryption is highly expensive.

Also, many healthcare entities tend to believe that encryption can end up impacting the performance of their systems. Dixie Baker, a member of the HIT Policy Committee’s Privacy and Security Tiger Team, which advises regulators, stresses that the latest encryption technology no longer affects the performance of computer devices, and in fact, after the initial encryption, no difference will be felt in the performance of a system.

A simpler alternative for organizations however is to adopt a comprehensive solution like SecureGRC which can not only take care of encryption requirements, but also provide all-round security to an organization’s data by conducting periodic risk assessments, managing access to sensitive data, providing end-to-end security, and by averting all possible security threats.

The post Unencrypted Stolen Devices- A Persistent Threat appeared first on Aegify.