Healthcare Organizations Say Incidents of Data Breaches Growing. Secure Information With Computer and Laptop Encryption.
Healthcare organizations are beginning to feel the heat. First, there is the surprise HIPAA security audits the Feds are planning on conducting. I already blogged about it before, and how it was just a preliminary one. The exercises to be conducted this year are to figure out how to approach such audits, and affect a list of pre-approved medical centers (pre-approved because they know the audits are coming. It’s not a total surprise).
However, once the preliminary studies are conducted, the results will be used to expand the audits nationwide. Unlike the past decade since the law took effect, auditing will be performed to ensure HIPAA compliance.
What’s worrisome, though, is the growing feeling that healthcare organizations are being targeted for information and data theft. It’s not big, not yet. However, there are signs that the problem is growing. A networkworld.com article quotes SecureWorks as seeing an 85% increase in attempted attacks towards its healthcare clientele.
Medical data is not just your past medical history. It also includes insurance numbers, credit cards numbers, SSNs, names, addresses, etc. People engaged in medical fraud are as interested in obtaining such information as your average credentials peddler (read: purveyors of fake IDs. Nothing like what I had in college, though).
And the attacks come from the inside as well. Plenty of people over the past year have been caught collating and selling patient information for personal gain. In fact, makes me wonder if the growing numbers of stolen and lost laptops are in some part mirroring insider thefts.
What can hospitals, HMOs, and other covered entities do? Well, there is no one-shot answer to the problem of ensuring patient privacy and confidentiality. However, there are certain steps one can take to ensure the basics are covered.
One that I would be remiss in not mentioning would be full disk encryption. Laptop encryption, desktop encryption—it doesn’t matter what type of information processing device you have. As long as there is sensitive data saved on it, temporarily or otherwise, you want to encrypt the computer if it’s not chained down to the floor. And even then, you might want to employ data encryption because some crooks will steal the chain and the floor tiles along with the computer.
Encrypting devices will not prevent theft; however, it will ensure that there are no data breaches—which is what HIPAA and the medical industry is trying to prevent (well, the latter is interested in both). There are many encryption services out there, but you want to ensure that they are using proven encryption like AES or RSA. Unbreakable ciphers are notoriously hard to create, which is why the field is dominated by a handful or companies: the others found their products were not as unbreakable as they thought. Plus, if you’re actually in the medical field, you may want something that lets you keep track of the encryption status of each machine. AlertBoot, for example, not only uses AES and RSA for encryption. It also comes with a suite of reporting options—including one for HIPAA and Sarbox auditing.