Report: Data breaches from unencrypted devices up 525% in 2011

Healthcare organizations need to "serve as their own watchdog" to increase security and decrease data breaches, a new report from IT security audit firm Redspin concludes. The increase in "bring your own device" policies at various hospitals, in addition to the continued implementation of electronic health record systems, are too much for government alone to regulate, the report's authors say.

The report digs into the latest major data breach figures--those breaches impacting 500 or more individuals--released by the U.S. Department of Health & Human Services' Office for Civil Rights. With the addition last week of the 2011 Sutter Health breach, which impacted 4.2 million patients, the number of major healthcare information breaches now sits at 385 since 2009.

"The Federal government is unlikely to mandate that all portable devices that store [electronic personal health information] be encrypted, but it's an obvious and sensible policy for a healthcare organization to adopt," the authors say. "Taking it further, why not require that all mobile devices in the healthcare workplace be encrypted, even if ePHI is not allowed on them?"

According to the report, nearly 40 percent of all major PHI breaches occurred on a laptop or other portable media device, a problem the authors say isn't likely to go away anytime soon. "Portability is here to stay," the write. "The BYOD revolution is well underway, yet 50 percent of respondents in a recent healthcare IT poll say nothing is being done to protect data on those devices."

In the last year alone, data breaches stemming from employees losing unencrypted devices spiked a whopping 525 percent, according to the report. Total records breached in that same span nearly doubled (97 percent), increasing the average number of patient records per breach from nearly 27,000 to more than 49,000.

"[I]t is strikingly clear that woefully inadequate security risk analysis [if any] took place prior to the occurrence of these incidents," the report's authors write. They add that a "proper risk-based assessment" could have triggered an evaluation of security controls in place at the time, given the large amount of PHI involved.

To learn more:
- here's Redspin's announcement
- download the report (registration required)