Breach Numbers All Over the Map
For example, a survey of 220 hospitals released April 20 found that 84 percent of U.S. hospitals have at least one breach incident a year, and 42 percent have at least 10 incidents. Identity Force and the American Hospital Association collaborated on that poll.
Earlier this month, a survey of 250 hospitals by HIMSS Analytics found that 19 percent had experienced at least one security breach in the past 12 months, up from 13 percent in a similar survey conducted in early 2008. Nearly two-thirds of those reporting a breach said the source was unauthorized access to information by an individual employed by the organization at the time of the incident, according to the survey, commissioned by Kroll Fraud Solutions.
Training and re-training staff about the importance of breach prevention, as well as the practical steps they can take to keep data secure, is the key.
By comparison, the 2009 HIMSS Security Survey, sponsored by Semantic, found that of 196 participating hospitals, 32 percent reported they had at least one known case of medical identity theft at some point.
So which survey has it right? That's impossible to tell.
And it's too soon to determine whether the HITECH Act's toughening of penalties for federal security and privacy violations and its requirement for reporting major breaches to federal authorities is having an impact on the frequency of breaches. The tally of breaches affecting more than 500 individuals, as complied by the Office for Civil Rights at the Department of Health and Human Services, stood at 65 as of April 23. That list only includes major breaches since last September, when the notification rule kicked in.
Let's hope that fewer big breaches make it to this federal list in the months ahead as more organizations take preventive action.
The single most important way to prevent breaches is to create a "breach-free culture," says Steven Bearak, CEO of Identity Force. That sounds about right to me.
Good policies and procedures and technologies are important. But they're not enough. Training and re-training staff about the importance of breach prevention, as well as the practical steps they can take to keep data secure, is the key.
So encrypt those laptops. Lock those filing cabinets. And, most important, make sure risk management is a top priority for your organization, from top to bottom.