Dom Nicastro, for HealthLeaders Media, September 27, 2011
Ali Pabrai said it best at last week's fifth national HIPAA Summit West at the Grand Hyatt in San Francisco. Pabrai, a data security expert, noted that 97% of chief information officers are concerned about data security.
"My question is, 'Who are these other three percent?'" Pabrai asked the hundreds of laughing attendees.
Pabrai, MSEE, CISSP (ISSMP, ISSAP), of ecfirst's HIPAA Academy in Newport Beach, CA, delivered a message that resonates with HIPAA privacy and security officers: Everyone, especially those charged with protecting the privacy of patient information, needs to be concerned about data security.
The numbers at the HIPAA Summit told the story:
- 1 in 4: Organizations reporting a data breach (source: Pabrai)
- 250,000 to 500,000: Medical identity thefts (source: Pabrai)
- 330: Organizations reporting a breach of unsecured protected health information affecting 500 or more individuals since September 2009 (source: Office for Civil Rights, or OCR)
- 34,000: Number of reports of breaches submitted to OCR affecting fewer than 500 individuals (source: OCR)
From how and from where the 500-or-more breaches are coming:
- Theft: 50%
- Unauthorized access disclosure: 20%
- Loss: 16%
- Hacking/IT: 7%
- Paper records: 24%
- Laptop: 23%
- Desktop computer: 17%
- Portable electronic device: 16%
- Network server: 10%
"How do we know that someone isn't hiding in our systems, and how long have they been there?" Pabrai asked the audience. "Do we have appropriate controls? What is the state of our information security?" Do you have intrusion protection and intrusion prevention in place?
"This is not just a compliance issue," Pabrai said. "This will have significant risk to the organization and will impact your facility in the seven figures."
The entire story can be read here.