Report: Data breaches from unencrypted devices up 525% in 2011

[InfoSec News <alerts () infosecnews org>]

http://www.fiercehealthit.com/story/report-data-breaches-unencrypted-devices-525-2011/2012-02-01

By Dan Bowman
FierceHealthIT
February 1, 2012

Healthcare organizations need to "serve as their own watchdog" to 
increase security and decrease data breaches, a new report from IT 
security audit firm Redspin concludes. The increase in "bring your own 
device" policies at various hospitals, in addition to the continued 
implementation of electronic health record systems, are too much for 
government alone to regulate, the report's authors say.

The report digs into the latest major data breach figures--those 
breaches impacting 500 or more individuals--released by the U.S. 
Department of Health & Human Services' Office for Civil Rights. With the 
addition last week of the 2011 Sutter Health breach, which impacted 4.2 
million patients, the number of major healthcare information breaches 
now sits at 385 since 2009.

"The Federal government is unlikely to mandate that all portable devices 
that store [electronic personal health information] be encrypted, but 
it's an obvious and sensible policy for a healthcare organization to 
adopt," the authors say. "Taking it further, why not require that all 
mobile devices in the healthcare workplace be encrypted, even if ePHI is 
not allowed on them?"

According to the report, nearly 40 percent of all major PHI breaches 
occurred on a laptop or other portable media device, a problem the 
authors say isn't likely to go away anytime soon. "Portability is here 
to stay," the write. "The BYOD revolution is well underway, yet 50 
percent of respondents in a recent healthcare IT poll say nothing is 
being done to protect data on those devices."

[...]


_____________________________________________________
Did a friend send you this article? Make it your
New Year's Resolution to subscribe to InfoSec News!
http://www.infosecnews.org/mailman/listinfo/isn