Time to defib health care security

Security regulations for medical information came into effect six years ago. So why is sensitive medical data still stored unencrypted?

While some industries have struggled during the hard economic times of the past few years, health care has thrived and continues to grow.

The industry has been building hospitals and administrative facilities at a record pace. The relative number of health-care-related jobs has jumped 80 percent since 2005, and half of the top 20 fastest growing occupations are linked to health care.

Yet, while health care has improved its care of patients, its care of data has been lackluster. Major leaks of health-related data surface on a regular basis. Two weeks ago Tricare, the health care provider for the U.S. military, reported that backup tapes holding data on 4.9 million patients had gone missing (PDF). The tapes, which were not encrypted, were reportedly stolen along with other belongings from a car belonging to an employee of SAIC, a government contractor tasked with managing offsite backups for the health care provider. The tapes had information -- including Social Security numbers and medical treatment information -- on service members who had been treated between 1992 and 2011.

"The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure," Tricare said in its statement.

The company could have made the risk virtually zero, if it had followed the best practice of encrypting backup takes as required by the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The rules requiring encryption were drafted in 2003 and came into effect in April 2005.

Instead, Tricare's breach has topped the list of health-care-related information leaks of the past three years. Four of the five breaches on the list occurred from theft, and the fifth resulted because servers containing data on 1.9 million Health Net members were lost or stolen -- no one is sure which. In fact, theft continues to be the No. 1 reason for data breaches in the health care industry, accounting for 56 percent of all incidents in the past three years. Loss accounts for another 14 percent.

Given that the risk in 7 out of 10 health care breaches -- including all the largest incidents -- could have been mitigated by encrypting data stored on tapes, hard drives, and other media, it seems the health care industry needs to practice a little more preventative medicine.

This article, "Time to defib health care security," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform