Welcome to the Nexus of Ethics, Psychology, Morality, Philosophy and Health Care

Welcome to the nexus of ethics, psychology, morality, technology, health care, and philosophy

Monday, October 10, 2011

HIPAA Summit West: 1 in 4 Organizations Report Data Breaches

Dom Nicastro, for HealthLeaders Media, September 27, 2011

Ali Pabrai said it best at last week's fifth national HIPAA Summit West at the Grand Hyatt in San Francisco. Pabrai, a data security expert, noted that 97% of chief information officers are concerned about data security.

"My question is, 'Who are these other three percent?'" Pabrai asked the hundreds of laughing attendees.

Pabrai, MSEE, CISSP (ISSMP, ISSAP), of ecfirst's HIPAA Academy in Newport Beach, CA, delivered a message that resonates with HIPAA privacy and security officers: Everyone, especially those charged with protecting the privacy of patient information, needs to be concerned about data security.

Numbers game

The numbers at the HIPAA Summit told the story:
  • 1 in 4: Organizations reporting a data breach (source: Pabrai)
  • 250,000 to 500,000: Medical identity thefts (source: Pabrai)
  •  330: Organizations reporting a breach of unsecured protected health information affecting 500 or more individuals since September 2009 (source: Office for Civil Rights, or OCR)
  • 34,000: Number of reports of breaches submitted to OCR affecting fewer than 500 individuals (source: OCR)
From how and from where the 500-or-more breaches are coming:

How:
  • Theft: 50%
  • Unauthorized access disclosure: 20%
  •  Loss: 16%
  • Hacking/IT: 7%
Where:
  • Paper records: 24%
  • Laptop: 23%
  • Desktop computer: 17%
  • Portable electronic device: 16%
  • Network server: 10%
In August, McAfee reported that hackers broke into the United Nations data system and hid there for two years unnoticed, Pabrai said.

"How do we know that someone isn't hiding in our systems, and how long have they been there?" Pabrai asked the audience. "Do we have appropriate controls? What is the state of our information security?" Do you have intrusion protection and intrusion prevention in place?

"This is not just a compliance issue," Pabrai said. "This will have significant risk to the organization and will impact your facility in the seven figures."

The entire story can be read here.