The report was based on a biannual survey of 250 healthcare professionals nationwide and was commissioned by Kroll Fraud Solutions. The overall flavor of the report seems to suggest a bit of an “overconfidence” by healthcare IT professionals regarding the actual security of their data–they perceive it to be much more secure than it is. And, as we see in breach after breach, that often turns out to be true.

Kroll’s summary of key findings states:

• New regulatory activity, including the implementation of the Red Flags Rule and HITECH Act, has created a false sense of security among healthcare organizations that their facilities are secure and prepared should a breach occur.
• Healthcare organizations continue to underestimate the high costs of a data breach, despite new industry data which puts the average cost per industry data breach at $6.75 million.
• Healthcare organizations continue to think of data security in specific silos (IT, employees, etc.) and not as an organization-wide responsibility, which creates unwanted gaps in policies and procedures.

A more extensive list of highlights is found in the Healthcare IT News article:

• Despite new regulatory activity, including the implementation of Red Flags Rule and HITECH Act, and increased compliance among healthcare providers, the reporting of healthcare breaches is on the rise.
• The majority of survey participants indicated that they were compliant with existing laws and regulations.
• Average responses were above a 6.0 (on a scale of 1-7, with 7 being the highest level of compliance) for almost all laws and regulations, including CMS Regulations, HIPAA, State Security Laws and Red Flags Rule. Only HITECH scored lower (5.75), most likely due to the fact that HITECH was still not fully implemented at the time of the survey.
• The number of healthcare organizations that reported a breach increased by six percent in 2010 to 19 percent of total respondents – up from 13 percent in 2008.
• When asked to rate their level of “preparedness” for a future security breach, respondents from organizations having experienced a breach cited a preparedness level of 6.06 (on a scale of 1-7, with 7 being most prepared).
• Healthcare organizations continue to underestimate the high costs of a data breach, despite the fact that penalties for HITECH violations can reach as high as $1.5 million dollars.
• Patient satisfaction was most frequently cited as the primary impact of a data breach on their organization (38 percent), while only 15 percent cited the financial costs —  down from 18 percent in 2008.
• Healthcare organizations continue to think of data security in specific silos (IT, employees, etc.) and not as an organization-wide responsibility, which creates unwanted gaps in policies and procedures.
• Eighty-seven percent of respondents indicated that they have policies in place to monitor access and sharing of electronic health information, yet research shows that 84 percent of healthcare breaches since 2003 were due to “low tech” incidents such as lost or stolen laptops, improper disposal of documents, stolen backup tapes, etc.
• Sixty percent of respondents said they required third party vendors to provide proof of employee training and only half indicated that they required third party vendors to provide proof of employee background checks. As organizations prepare for the broader sharing of electronic health records across massive networks of providers, payers, state and federal repository systems, third party involvement is only expected to increase in the coming years.

There is indeed a lot to crunch and, as noted in the articles, it’s a “bittersweet” set of results. On the positive side, data security is getting much more attention and many healthcare organizations are taking action. But on the negative side, there’s still a very serious gap between “theory and practice,” so to speak. In theory, organizations think they’re secure and are shooting entirely for “compliance.” In practice, not so.

This elicits thoughts of the old cliche: In theory, there’s no difference between theory and practice. In practice, there is.

Download the full report here. Thanks to security curmudgeon on DataLossDB for the heads up.

WCCO reports, and thanks to Jon P for the tip.

It’s reported that the data doesn’t appear to have been compromised. A major, major bullet dodged!

On that unencrypted device? 3,300,000 names, addresses, Social Security numbers, and other personal data on borrowers. Over three million college students breached, one single device, no real security.

Officials say it was “a simple, old-fashioned theft” and “not a hacker incident.” Of course that’s of almost no consolation.

The list continues to grow. And of course, had the device been encrypted with patent-pending and NIST FIPS Level 2 certified MyLaptopGPS strong encryption, or any other decent encryption, there would be no issue here.

Most folks aren’t surprised to hear that malicious and criminal attacks are more expensive (more damaging) than insider negligence or systems glitches, by a score of $215 to $154/$166 (page 5 of the report). In fact, the most intense focus tends to be on the “attack of the bad guys.”

According to the report, 24 percent of all breaches studied involved a malicious or criminal attack. So, from a damage standpoint, it’s very important to safeguard against such malicious, purposeful attacks.

But there’s an interesting second side to that coin. If 24 percent of cases involved a malicious or criminal attack, then presumably 76 percent did not. That is, 76 percent of cases involved insider negligence, system glitches, and so forth. So, from an odds standpoint, it’s “three times more important” to be wary of insider negligence, system glitches, and other non-malicious events.

And, the core technology used to safeguard against both malicious and non-malicious data breach is the same. Encrypted data is encrypted data, and trackable laptops are trackable, malicious intent or otherwise.

But what is curious is that the laptop “had safeguards to protect sensitive information, including strong password protection and encryption.” Even still, the company is offering free credit monitoring.

No report of the number of victims has been given.

The response to the “breach” makes one wonder if there’s more to the story. Was the encryption not properly applied (very common)? Did the employee tape a handwritten plain-text passphrase note onto the palm rest (it happens–that’s why MyLaptopGPS offers Remote Decryption Kill)? Tough to say, and it’s all speculation. Something just seems odd about the reports and the response.

We will have to see if it shows up on the HHS Hall of Shame or not.

The days of “a lump of coal in the stocking” are certainly over.

The HITECH Act of 2009, one intent of which was to add more teeth to data security requirements for healthcare information, included a provision in section 13402(e)(4) requiring the Secretary of the U.S. Department of Health and Human Services to post a list of data breaches of unsecured protected health information affecting 500 or more individuals.

We might call these the “mega-breaches” or, that is, at least the serious breaches that affect many people.

A couple of important details are worth noting, about the HITECH Act of 2009. First, if a breach affects fewer than 500 people in one state, a breaching organization does not have to contact the media (though one of the victims certainly might). The organization does have to contact each breached individual, however, to notify of the breach. Second, the rules apply to unencrypted PHI. Encrypting the data, as always, is mitigation of the risk and turns a “breach” into a “non-event.”

Encrypting data, such as with MyLaptopGPS’ FIPS-certified strong encryption for data-at-rest, is the key difference between a major PR disaster (and regulatory nightmare), and a sigh of relief.

And now for The Bad List (click to view at HHS’ website).

First, the San Francisco Business Times reports that UC San Francisco reported a laptop theft that occurred on our about November 30, breaching 4,400 patients of the UCSF School of Medicine. The data included names, medical record numbers, age and clinical information, but not Social Security Numbers.

And, all to commonly, the data records were not encrypted.

The article also refers to tougher federal regulations and penalties that could be involved, including up to $1.5 million in fines for privacy violations–all the more reason to take proper precautions before it’s too late. Thanks to kirniki for the tip.

In the second case, our headliner for the week, ABC 13 reports that Methodist Hospital in Houston had a breach when a thief stole a laptop attached to a medical device that tests pulmonary function. The laptop contained private health information and Social Security Numbers for for 689 people and, again, was not encrypted or, apparently, otherwise protected. Thanks again to kirniki for the tip.

Says the hospital: “We are truly sorry if we have caused any stress or problems for the patients affected by this. We have offered them one year free subscription for credit monitoring and identity theft protection.”

Such a breach does indeed put the victims–those of us with data that was compromised due to no fault of our own–in a tough spot. It places burden and stress. Just read the comments of readers on the article itself, for some stark examples. Credit monitoring and ID Theft Protection can help to at least detect problems early, but it’s much better to mitigate problems before they occur, which is why we continue to trumpet that call: buckle that safety belt before driving down the road.

And, to the chagrin of at least 15,000 people, it was not encrypted. This also teaches us a familiar lesson about policies and procedures:

1. They are good. The employee knew what was expected of him or her, which was not to store information on the drive.
2. They are completely insufficient on their own. The employee violated, was fired (surely the stated policies and procedures made that tidy)…yet the 15,000 people are still breached.

It’s better to encrypt.

An interesting article based on a survey from Information Week highlights some of the issues, not the least of which is that only 14% of survey respondents say encryption is “pervasive” in their organizations, and only 38% encrypt data on mobile devices. Furthermore, 31% characterize the extent of their use as “just enough to meet regulatory requirements.”

Rather than bantering statistics around all day, it’s important to focus on the key issues (no pun intended), and a generally distasteful attitude toward security is clearly pervasive. The “security department” is generally the last one invited to the company cocktail party, and IT security personnel are often seen as the spoilers of usability and productivity.

It’s a tough dichotomy, and never seems to end.

But it’s important for your business’ security approach to be as strong as reasonable, not merely “as weak as we can tolerate.” One application of this philosophy is in the realm of encryption, where a comprehensive approach should encrypt all data, or as much as is reasonably possible, rather than relying on employees to only place sensitive data in one or two “secure” folders, or hit-and-miss across the hard drive. Relying on employees in that way is akin to having no encryption at all, and expecting employees “not to store data” on the mobile device.

Interestingly, even that last method is most common.

Encryption can be both effective and user-friendly, and it can operate with little to no impact on system performance. So use it comprehensively!

But I’d be remiss not to issue a tip that puts my money where my mouth is. Or, that is, why not follow my own advice?

Laptop tracking, remote data destruction, covert data recovery, and a 99.6% security success rate are all excellent security layers. We’ve always said so, and have always used them. But now, it’s time to up the ante in a big way by bundling on-disk strong encryption–another extremely important layer we’ve always highly recommended.

A thief who has your laptop should have no access to your data, ever. Good on-disk encryption such as MyLaptopGPS Encryption guarantees that, and then, as always, the other layers back it up. Remember, there’s no silver bullet in the security world.

Another nice thing about a bundle of highly effective layers such as these is that additional features can surface as a result. For example, with MyLaptopGPS Remote Decryption Kill, even a thief who has your encryption key (you didn’t write it on a post-it note in your laptop bag, did you?) cannot decrypt your data.

A solid laptop data security strategy always relies on many layers. Encryption must be a primary one.