Small data breach draws big fine, signals need for encryption
Just two weeks ago, a non-profit healthcare provider was slapped with a $50,000 fine from the Department of Health & Human Services (HHS) for violating the HIPAA security rules, after losing an unencrypted laptop containing the sensitive personal information of 441 patients. This is the first HHS penalty for a data breach involving less than 500 victims.
For small healthcare providers, this signals an escalation in the consequence of a data breach, as organizations will be held accountable regardless of size. A fine of $50,000 is a lot of money for a small practice, especially a non-profit provider.
As we’ve discussed in the past, the average cost per record of a healthcare data breach is $240, which is 24 percent higher than average. As fines become more common, healthcare organizations of all sizes need to make sure patient data is managed appropriately.
A complete prescription to avoid data loss will include technology solutions as well as creating a culture of security through training, policies and actions to make sure that the right people have access to the right data for the right use.
But, it remains that many organizations still believe that a data breach won’t happen to them. And yet, in 2012 alone, 39 percent of healthcare data breaches resulted from lost or stolen portable devices (laptops, data tapes, hard drives and other removable media) or stationary devices (desktop or server), according to Privacy Rights Clearinghouse Chronology of Data Breaches.
One of the most fundamental security measures is the use of full disk encryption (FDE). When a lost or stolen device is protected by FDE, the information on it is safe, and the only loss is the device itself. It’s important for healthcare organizations to deploy encryption on any device that contains confidential patient information: desktops, laptops, data tapes, servers and removable media. You can learn more and get tips for deploying FDE in this post.
Symantec recommends healthcare organizations of all sizes consider the following best practices to help reduce their risk of a data breach:
- Assess risks by identifying and classifying confidential information
- Educate employees on information protection policies and procedures, then hold them accountable
- Implement an integrated security solution that includes reputation-based security, proactive threat protection, firewall and intrusion prevention in order to keep malware off endpoints
- Consider data loss prevention technologies which enable policy compliance and enforcement
- Proactively encrypt laptops, desktops and other removable media to minimize consequences of a lost device
- Use appropriate security and backup solutions to archive important files, and test frequently
- Implement two factor authentication, such as strong user name and password, plus a token or one-time password
- Integrate information protection practices into businesses processes
Data loss is a largely preventable problem. Even for smaller provider organizations, technologies are readily available to help protect patient information. As we see the HHS levy more fines for violations, it should be clear that it’s cheaper to implement the proper safeguards versus the expense of a HIPAA related breach.