Massive UK Breach: A Call to Action?It's Time to Consider Mobile Device Security Strategies
Why would anyone store that much patient information on a portable device that could be lost or stolen? And why wasn't the information encrypted? Good questions. Maybe we'll find out more when the investigation is completed.
Will the incident serve as a wake-up call for U.S. healthcare organizations about the need to take adequate precautions for preventing breaches involving mobile devices? We'll have to wait and see. In the meantime, the list of security incidents on the federal "wall of shame," which displays many dozens of major breaches stemming from lost or stolen unencrypted mobile devices and media, keeps on growing.
Sanctions NeededSecurity expert Kate Borten, president of The Marblehead Group, offers this observation: "Unless the U.K. government takes significant action against the NHS for this serious breach, which is not likely, the message to the U.S. healthcare industry is lost."
I fear that the public and the industry are already numb to these breaches since they are common.
Too many healthcare organizations still have a sense that a breach "won't happen to us," Borten says. "Maybe the only thing that will cause all organizations to implement obvious security measures, such as encryption on portables, will be a breach that has a horrible impact on patients who then bring legal action and major publicity that doesn't fade away after a week."
Security consultant Mac McMillan, CEO at CynergisTek, says a significant ramping up of enforcement of HIPAA and HITECH Act regulations is needed. The U.K. incident, and the nearly 290 incidents on the U.S. "wall of shame," are indications that "security is not a priority," he argues.
"If it was a priority, we would never, ever put more than 8 million records on a laptop. You would think someone would have asked the question: 'Do the health records on more than 8 million individuals belong on a device that can be lost or stolen?'"
Healthcare organizations should carefully consider whether any patient information should be stored on mobile devices, he stresses. And if such data absolutely must be stored on a laptop, it's essential to encrypt it, he adds.
So has your organization considered whether to prohibit, or at least limit, the storage of patient information on mobile devices? And are all your mobile devices that store patient data equipped with encryption? Maybe it's time to check.
"I fear that the public and the industry are already numb to these breaches since they are common," Borten says. That's a scary thought, indeed.