As we have noted here in the past, the new HITECH legislation expands on HIPAA encryption requirements for health records and mandatory penalties for data breaches. CSO Magazine outlines five steps that organizations should take to prepare for HITECH.
The article also touches on costs that go beyond regulatory penalties:
No doubt, the HITECH Act raises the stakes for a data breach. But regulations aside, data breaches can hurt your organization’s credibility and can carry huge medical and financial risks to the people whose data is lost.
Data Security, Healthcare
SC Magazine Data Breach Blog picked up this story in the Richmond Times-Dispatch.
Virginia Commonwealth University is notifying 17,214 current and former students of a security breach that may have exposed their Social Security numbers.
It used to be common practice for universities to use Social Security numbers as Student ID’s. Much of that data is still floating around on hard drives and storage devices throughout campus. In this case it’s going to cost VCU a year’s worth of identity-theft insurance for all of those exposed records.
Data Security
Last week the NHS reported four more data breach incidents, two involving USB flash drives containing sensitive personal info. In one case, someone took the effort to encrypt the data, but then affixed the password with a post-it note. In the other case, the flash drive was unprotected and left at a car wash.
Following an investigation, it became clear that the information contained on the memory stick was only looked at by the car wash attendant before returning it to the hospital.
It’s good to see health care organizations use encryption to protect patient data. Unfortunately, good policy can be defeated with a simple post-it note. Organizations can go a step further by remotely managing their portable devices. With prompt incident reporting, a lost drive can be deleted or disable before the any data can be accessed. And you have the audit logs to prove it.
Data Security, Government, Healthcare
From the SC data breach blog: “A portable data-storage device containing the sensitive personal information for all current employees of North Carolina-based FairPoint Communications has gone missing.”
The device contained everything needed for identity theft including birth dates and social security numbers.
A comprehensive remote management solution would have allowed the company to remotely delete all contents of the device before it could be accessed. Regulatory authorities could be presented with an audit log showing when and where the drive was deleted. The alternative is to pay for credit monitoring, risk lawsuits and receive an entry in the infamous Data Breach Blog.
Data Backup, Data Security
On Friday, the Dept of Health and Human Services released new details on breach notification and the protection of personal health information.
There are two acceptable methods: encryption and destruction.
Encryption is the obvious method provided for securing ePHI, and the acceptable encryption methods were expectedly referencing NIST standards.
Using encryption may help organizations prevent public embarrassment and costly settlements.
Breach notifications only need to be made for what falls under “unsecured” PHI. So, if someone gets hold of PHI that is encrypted using the referenced NIST encryption standards, then notification is not required.
Data Security, Government, Healthcare
Government entities are leading the way in data breaches so far this year.
According to ITRC, a nonprofit organization whose work is supported by a Justice Department grant, the government and military sector were the chief offenders, accounting for 78 percent of all exposed records with just 22 breaches.
To be fair, the bulk of those records were lost in a single incident at the Arkansas Dept of Information Services. Among other sectors, banking and financial companies did the least amount of damage, with 12 breaches and 288 records exposed.
Data Security, Financial, Government, Healthcare
Follow us on Twitter