The healthcare industry experiences more data breaches than any other industry, according to Privacy Rights Clearinghouse (PRC) data.
PRC maintains a database of privacy breaches from 2005 to the present. When available, the database includes what type of information was breached, how many records were affected, the organization that was storing the data, the types of records accessed, and a narrative of the circumstances surrounding the breach.
In 2011, 170 of 481 publicly disclosed breaches happened in the medical industry. Most of the breaches (50 breaches containing at least four million records) happened after portable data devices went missing. In several cases, the information was on laptops and flash drives that had been stolen or lost.
“The healthcare industry has a long ways to go when it comes to a maturity model that can support a defensive strategy around protecting its assets,” cybersecurity blogger and penetration tester David Kennedy said in a post on Monday. “As HIPAA continues to get a majority of sell as a way of protection against attacks, we will continue to see large exposures in the healthcare industry.”
Kennedy says instead of purchasing “shiny new” prevention tools, organizations should develop programs that focus on addressing threats toward the organization instead of mainly compliance.
A study released by the Ponemon Institute last September says the biggest healthcare data security threat is theft of equipment containing sensitive information. The healthcare and pharmaceutical industry had the highest rate of laptop thefts, according to a joint study by Ponemon and Intel Corporation. The study found that most organizations (two-thirds) don’t take advantage of security practices like encryption, which would keep data secure if a device the information resided on were stolen. Forty-six percent of laptops contained confidential data; only 30 percent used encryption, the report said.