- By Jesse Erdmann
Once again there is news of another data breach (article here) in the health industry. This time around, a Connecticut company by the name of Health Net reported the loss of a disc containing health information, social security numbers and bank account information of 446,000 patients, as well as potentially another two laptops.
This news comes on the back of a November survey and reportĀ (article here) by HIMSS, paid for by Symantec, that only 67% of healthcare encrypts data transmissions, and less than half encrypt the data stored on disk. Obviously, if Health Net had encrypted their data properly, the loss of the disc and laptops would not be as significant a loss (due to the difficulty, if not impossibility, of the data being accessed by the thieves). Another important thing to note about the survey is that Symantec is one of the largest vendors of security software, thus the numbers reported may need to be taken with a grain of salt.
However, there are some things to take away from this breach and HIMSS report. One such takeaway is that while there is a lot of additional complexity in securing health data (that needs to be handled by those that understand the industry), there are well-established resources that can cover the basics for health organizations. There are also accreditations, like the Certified Information Systems Security Professional, CISSP, which can be used to vet potential employees or benchmark training for employees in key security positions.
A general rule of thumb for health organizations would be to hire a person to manage organization-wide security issues. Key deliverables from such a person would be to write and deliver a security policy for the organization, purchase or recommend non-domain specific security software and be responsible for the training of all employees that handle sensitive data. Special emphasis should also be placed on the training of software engineers and system administrators. With proper policies, training, and oversight, health organizations can protect themselves and their data from breach or loss.