« September 2009 | Main | November 2009 »
Are IT Security Professionals the Last Line of Defense for Patient Privacy?
By Dominique Levin
EVP Marketing and Strategy
As the national debate about overhauling the $2.5 trillion United States healthcare system rages, the federal government is already investing tens of billions of dollars as part of the stimulus program to push our medical care industry to shift from paper to computer records.
In our rush to computerize patient records to reap the benefits of higher quality of care and safety, and to better control fraud, who is making sure that our private medical records are being protected?
To better understand the issues, we at LogLogic spoke with some of our largest healthcare customers about their steps to bolster patient privacy protection. We also partnered with the independent research firm the Ponemon Institute to survey 542 senior IT practitioners from healthcare organizations with an average of more than 1,000 employees about how secure they believe electronic patient medical records are.
According to the October 2009 Ponemon report, “Electronic Health Information at Risk: A Study of IT Practitioners,” 80 percent of healthcare organizations had experienced at least one incident of lost or stolen electronic health information in the past year – four percent had more than five patient data breaches. More than two-thirds of these healthcare organizations had already digitized at least a quarter of their patient records and a third had digitized more than half.
The most surprising finding was the almost three-quarters of respondents said their organization failed to make patient record protection a priority.
At LogLogic, we think this presents a unique opportunity for IT security professionals to take a leadership role in this critical national issue. There are new rules mandated by the Health Insurance Portability and Accountability Act (HIPAA) that became effective in September that are important steps towards bridging the traditional gap between “Cover Your Ass” compliance and real IT security.
To find out more highlights and read a complete copy of the Ponemon Institute study and the LogLogic healthcare customer survey, please take a moment to register at our site at www.loglogic.com/resources/analyst-reports/ponemon-electronic-health-info-at-risk/
In LogLogic’s interviews with senior security professionals responsible for overseeing the protection of hospital patient records, a consensus emerged that best practices in securing patient privacy go beyond HIPAA compliance. New technologies allow hospitals to more closely monitor and protect patient privacy than ever before. The recent changes in HIPAA also put more stringent requirements on medical organizations to secure patient privacy. Hospital security professionals today have a unique opportunity to be patient privacy heroes.
If you’re in the healthcare industry, do you feel you have a role to play as a privacy hero? Let us know. We want to hear from you.
Posted October 20, 2009 in Healthcare | Permalink | Comments (0)
« September 2009 | Main | November 2009 »
People Have Grown Immune to Breach Notifications
by Lex van den Berghe
LogLogic Customer Evangelist
Back in simpler times, the “high tech” approach to breach notification was a gang of domestic geese or peacocks posted as sentries ‘round the farm to squawk bloody murder whenever strangers approached the property line. Times have changed, as has the definition of “high tech”…but the basic principles and necessity of effective breach notification remain the same.
I spoke with Sudha Iyer, Director of Product Management at LogLogic, and she shared her two cents on breach notification and why it pays to be prepared…
It seems that not a day goes by without a report of a data breach, or a discussion of the latest attack of the Conficker (or other malware) variant. Lest organizations become desensitized to such attacks, I’ve noticed that that breach notifications can have a negative impact on the organization’s net worth.
Take the case of Heartland Payment Systems (NYSE - HPY) for example. When markets opened after Heartland’s public announcement of their credit card breach in January 2009, their stock price shrunk to $8.54 and plummeted to $3.95 by March 2009. Today, Heartland is fortunate that their stock is almost back to its pre-breach notification price of $14.53.
Despite the continuous flood of public breach notifications like Heartland Payment Systems, I find it troubling that so many organizations continue to act as if they are immune to such attacks. Has the barrage of public breach notifications bred enough apathy so as to undermine the primary reasons for public notifications in the first place? I thought breach notifications were meant to…
· Spur the offending organization into action to put in place the necessary process, people and technology to do the right thing for the individual(s) and the business to which they are accountable.
· Serve as a warning to other organizations to do the same before their data is compromised.
Consider the healthcare industry. The Health Information Technology for Economic and Clinical Health Act (HITECH) includes a health care breach notification law. This interim final rule on the HITECH Act just became effective on September 23rd, and the law requires any organization covered under the Health Insurance Portability and Accountability Act (HIPAA) to notify patients of a data breach involving their personal health information. Will this law, especially with its recent amendments that critics say completely guts the original intent of the bill, achieve the aforementioned aims of data breach notification? This leads to a larger question, does data breach notification adequately protect the consumer or patient whose information is compromised?
If there’s a lesson to be learned here, it would have to be: “Don’t put off until tomorrow, what you can do today.” Rather than be vulnerable and exposed to attack, enterprises should enact the proper defenses and alerts to fend off the perpetrators. If your high tech “farm” could use a good flock of geese or peacocks, check us out…we can help!
Posted October 05, 2009 in | Permalink | Comments (0)
June 2010
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 |
Categories
Archives
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
Blogroll
Blogroll
Compliance
Good Reading
- Internet and Web Security Review
- Log Management ROI
- Log Management Best Practices
- SANS Institute Log Management White Paper