- Home
- Articles
Breach Stats: Signs of Improvement?
2012 Breach Tally, So Far, Much Lower Than 2011
Only 13 major health data breaches affecting a combined total of 192,000 individuals have been added to the official government wall of shame tally since Sept. 21. The number of major incidents and individuals affected in 2012 appears - for now, at least - to be on a pace to be lower than in 2011.
But the tally for this year's breaches could change dramatically in the months to come because the Department of Health and Human Services' Office for Civil Rights continually adds incidents as it confirms the details. For example, it recently added a 2011 breach to the list. The tally only includes breaches affecting 500 or more individuals.
Related Content
- Evernote Note-Taking, Archiving Service Hacked
- Retail Breach Tied to Global Fraud
- What to Expect at RSA 2013
- VanRoekel on Infosec and Sequestration
- The Infosec Education of Nikki Haley
Related Whitepapers
- Embracing BYOD Without Compromising Security or Compliance
- Protect Your Company's Reputation Against Rogue Mobile Apps
- Effective Security in a BYOD Environment: Arming Your Organization Against the Unknown
- Nine Critical Threats Against Mobile Workers
- It's a Legal Matter
"I think there's some randomness in the breaches and numbers of individuals affected, so I wouldn't read too much into the statistics," says Kate Borten, principal of IT security firm The Marblehead Group. "The bad news is that breaches continue to happen, and in significant numbers. Also, remember that we don't know about breaches affecting fewer than 500 people, since they aren't posted on [the HHS] website."
Security consultant Tom Walsh offers a similar assessment. "Only time will tell if the decline in the rates of reported breaches are a sign that we are making progress," he says. "No organization wants to be fodder for 'lessons learned the hard way.' The very mention of certain healthcare organizations' names triggers the memories of huge breaches, fines and other bad press."
The Latest Numbers
The federal list shows that in 2011, nearly 150 major breaches affected 10.8 million individuals, including seven huge incidents that affected a combined total of about 9.9 million. By comparison, the partial tally for 2012 shows nearly 100 incidents affecting 2.2 million, with the five largest incidents affecting a combined total of 1.5 million.
The running breach tally, which dates back to September 2009, now includes 511 incidents affecting 21.4 million individuals.
Only nine breaches affecting 177,000 have been added to the list since Oct. 22 (see: Health Breach Tally Tops 500 Milestone). The largest incident added in recent weeks was a breach at Alere Home Monitoring involving the loss of an unencrypted laptop, which affected about 116,000 individuals.
Survey Findings
In light of highly publicized breaches, many healthcare organizations plan to take breach-prevention action next year. The 2012 Healthcare Information Security Today Survey, the complete results of which will soon be published on HealthcareInfoSecurity, shows that the top three breach prevention steps organizations will take in the coming year are:
- Stepped-up training on privacy and security issues;
- Implementing encryption of all mobile devices and removable media;
- Implementing audit tools to enhance detection of unauthorized access.
"I think those are great steps to take," Borten says. "For example, loss and theft of unencrypted devices and media with PHI [protected health information] continues to be a big issue. But more and more organizations that permit personally-owned devices and media to be used for work are finally requiring encryption and, further, are providing the encryption."
The survey also shows that the top information security priorities for the coming year are improving regulatory compliance; improving security awareness and education for physicians, staff, executives and board; and preventing and detecting breaches.
Educating employees and clinicians about data security is a vital step in preventing breaches, Walsh says. "Technical controls can only go so far to protect data," he notes. "We depend upon the users of technology to follow the rules and policies and not to circumvent the technical security controls."
To gain staff buy-in, hospitals, clinics and other organizations need to educate staff on regulatory requirements and breach risks, and then explain why security controls are in place, Walsh says. "It is important to remind individuals that they could be held personally liable - by federal or state authorities - for blatant violations that compromise personally identifiable information."
Biggest 2012 Breaches So Far
- 1
- 2
Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec
The Federal Reserve confirms it's been breached. What message does this attack send to banking...
Latest Tweets and Mentions
The Federal Reserve confirms it's been breached. What message does this attack send to banking...
The ISMG Network
-
Webinar
Vendor Management Part I: FDIC Explains How to Manage Your Outsourcing Risks
-
Article
Incident Response: Next-Gen Skills
Evolving Threats Call for Evolving Proficiencies
-
Interview
BITS on Top Fraud Threats to Banks
New Fraud Prevention VP on Latest Trends, Strategies
-
Article
Mobile Payments: Managing Vendors
FDIC Discusses Banks' Responsibilities as Technology Grows
-
Article
HIPAA Omnibus: Business Associate Impact
OCR's Susan McAndrew Offers In-Depth Analysis
-
Article
Report: VA Using Unsecure Transmissions
Department Offers Contrasting Assessment
-
Article
New InfoSec Credential: Filling a Gap?
Assessing the Value of Healthcare Certification
-
Interview
Insights from Cross-Industry Experience
InfoSec Leader Applies Lessons to Healthcare
-
Whitepaper
Business-Driven Identity and Access Management: A Buyer's Guide
-
Interview
HIPAA Omnibus: The Liability Chain
Expert Explains Compliance Flow