Privacy experts: Health data security efforts too reactive

Privacy experts spoke about their data breach experiences Thursday at the Healthcare Privacy Summit in Washington, D.C., agreeing that what they've experienced likely is just the beginning for what's possible in security fissures at healthcare organizations.

Omar Khawaja, a global project manager for Verizon, noted that 61 percent of breaches his group finds are for payment card information, and pointed out that the reactive system presently in place for combating such breaches is problematic.

"What does 911 look like in cyberspace? Who do you call when you have a breach?" Khawaja asked. "It takes months just to contain the breach."

Bill Turner, Chief Privacy and Security Officer of Brookfield, Wis.-based Allium Healthcare, a technology consulting and staffing firm, said that most of the privacy errors he sees stem from human error. Turner recalled a story about a hospital having in its records that he had passed away, when it was really a man listed above him in the hospital's logs.

Turner also called the manner in which organizations respond to data breaches "repetitive," saying that oftentimes, not enough is done alleviate a situation.

"It's a constant game," he said. "We won't settle it in our lifetime."

M. Peter Adler, health and cybersecurity counsel and chief privacy officer for government affairs for Fairfax, Va.-based technology provider SRA International, said his company is moving toward the idea that data governance is an effective way to prevent and combat breaches.

"Data governance is one way to deal with it, creating a model where you have stakeholders that are going to help with protection," Adler said. "They can come in many shapes in sizes, some CISOs, some lawyers, some project team leaders--they're all part of it."

Leo Dittemore, director of technical services for Denver-based kidney care company DaVita HealthCare Partners, said the No. 1 type of breach his company has dealt with is employees looking at one another's files and records. To that end, he said, the company implemented a service to look at what was accessed. Five to six people are fired each year for snooping records, he said.

Even with safeguards in place, though, breaches are hard to avoid, he said.

"We're making a huge investment, and when a huge problem comes, there will be backlash," Dittemore said. "I hope we can prevent that."