Verizon CMO: Protection of data at rest not important? Really?

admin — Wed, 25 Nov 2009 20:30:38 +0000

Seems like it’s been a tough week for Verizon to try and prove their point about how encryption is unimportant to securing protected health information (PHI).

According to ModernHealthcare.com Peter Tippett, Vice President of Technology and Innovation and Chief Medical Officer, recently said “Encryption of data at rest in a database, for example, typically provides “no value” against a large majority of hacking and malicious code threats, and “end-user devices like PCs, laptops and PDAs” are “orders of magnitude less important targets in the real world than is perceived (and databases are several orders of magnitude more important than end-user devices).”

: Image by Spartacus007 via Flickr

In addition, Tippett says current security standards and methods are “too complex, are based on dogma instead of science, are both ineffective and inefficient, and are too static.”

But facts and reality prove otherwise. The following RECENT breaches were revealed while Verizon is literally putting its head in the sand and marginalizing encryption (and all of them could have protected patient information had encryption been installed):

68 Computer hard drives belonging to Blue Cross Blue Shield “walked out” of a datacenter, along with social security numbers and other information belonging to 2 million clients.
HealthNet loses an external hard drive with personal financial and medical information belonging to 1.5 million clients.
US Army loses hard drive with 60,000 with social security numbers and other personal information.
A laptop containing clinical information on 2,000 patients was stolen from the Guam Memorial Hospital.

And all this within 2 weeks! The fact is that data in use, like data at rest, and data in motion needs to be encrypted if it contains protected health information.

Blue Cross Blue Shield Data Breach Investigation Extends Credit Protection for Providers to 2 Years (ducknetweb.blogspot.com)
Health Net Data Breach – 1.5 Million Records At Risk With Missing Portable Hard Drive (ducknetweb.blogspot.com)
Laptop Heist Exposes Doctors’ Personal Data (deurainfosec.com)
Blue Cross Physicians Warning – Potential Data Breach With Stolen Laptop Computer (ducknetweb.blogspot.com)
From the Hospital Room to Bankruptcy Court (nytimes.com)
A member of Blue Cross Blue Shield comes over to the side of the people (iflizwerequeen.com)

Long term costs for a breach of just 499 records could be as high as $100,798

admin — Sat, 29 Aug 2009 06:10:40 +0000

According a study performed by The Ponemon institute, which is also quoted by the Department of Health and Human Services in the Interim Final Ruling on Breach Notification, the total cost of a data breach is an average of $202 per record (of which an $152 pertains to indirect cost including abnormal turnover or churn of existing and future customers). A breach of just 499 records could cost $100,798 over the long term. The same report states that health care and financial services are the two industries experiencing the highest average rate of churn. It should be noted that, according to the same study, lost or stolen laptops/mobile devices account for 35% of all data breaches.

Laptop and mobile device encryption technology is readily available. Implementing encryption in other vulnerable areas such as file shares, removable storage, and even e-mail greatly reduces the potential for invoking your breach notification plan. By reducing the availability of unsecured protected health information (PHI) in your IT systems you can greatly reduce the chances of having to notify individuals in case of a breach.

Avoid Breach Notification - Experior helps PHI Encryption » laptops

Verizon CMO: Protection of data at rest not important? Really?

Related articles by Zemanta

Long term costs for a breach of just 499 records could be as high as $100,798