Security officers have new motivation to protect healthcare data

Want to throw a scare into CIOs, security officers and HIPAA compliance specialists, not to mention legal departments? Just direct them to DataLossDB.org, a project of the Open Security Foundation that chronicles electronic security breaches and other incidents of data loss from around the world.

The site isn't specific to any industry, but as of Monday night, four of the 10 most recent reported breaches involved healthcare organizations. And they are significant incidents. We learned last week that a contractor to the University of Texas Medical Branch in Galveston waited more than a month to inform the health system that an employee now in jail on charges of identity theft had access to records of more than 1,200 patients. And the California Department of Health Care Services sent out 50,000 letters with the recipients' Social Security numbers printed on the mailing labels.

There's no evidence that any of the affected people were harmed, so the organizations may not actually have to notify the patients under the new HIPAA standards, but they did anyway. Whether you agree with the "harm threshold" or not, security experts are on alert now that state attorneys general have the power to enforce HIPAA standards. And--surprise--some actually welcome the increased scrutiny.

"For me and my organization, it's motivation," Aaron Carpenter, chief information security officer for the Arizona Department of Health Services, said last week at the Institute for Health Technology Transformation's Winter Health IT Summit in Chandler, Ariz. "You need the organization to be motivated to support you."

Organizational support is important, but that can't stop a politically motivated attorney general from trying to make an example of a hospital or two, particularly now, when states are in dire need of new sources of revenue without having to raise taxes.

An easy measure to protect against prying eyes, yet one that often gets skipped, is data encryption. "You can't go wrong with encryption," offered another panelist, John Abraham, CEO of security auditing firm Redspin.

But remember, technology is not the real issue. "Focus on the data, not just the infrastructure," said Forrester Research Principal Analyst Khalid Kark.

This was the last meeting I'll be covering until the Big One, namely HIMSS10, in a couple of weeks. If you're going to Atlanta, make sure you get to Mix It!, FierceHealthIT's free networking party on Tuesday night, March 2, at the World of Coca-Cola. Click here to RSVP. I'll see you there. - Neil