'Wall of Shame' Exposes 21M Medical Record Breaches 112
Lucas123 writes "Over the past three years, about 21 million patients have had their unencrypted medical records exposed in data security breaches that were big enough to require they be reported to the federal government. Each of the 477 breaches that were reported to the Office for Civil Rights (OCR) involved 500 or more patients, which the government posts on what the industry calls 'The Wall of Shame.' About 55,000 other breach reports involving fewer than 500 records where also reported to the OCR. Among the largest breaches reported was TRICARE Management Activity, the Department of Defense's health care program, which reported 4.9 million records lost when backup tapes went missing. Another five breaches involved 1 million or more records each. Yet, only two of the organizations involved in the breaches have been fined by the federal government."
Where do I apply for the "HDD encryptor" position? (Score:5, Interesting)
On March 9, Blue Cross Blue Shield of Tennessee (BCBS) was fined the maximum $1.5 million for 57 unencrypted computer hard drives that were stolen from a leased storage facility in 2009. BCBS has since encrypted all of its hard drives, representing 885TB of data.
BCBS said it spent more than 5,000 man-hours on the encryption effort, which cost the company $6 million.
Say they used new HHD-s at $100 for a 1TB HDD -> HDD cost=$88,500. F*** it... let's be generous and say all the equipment amounts for $1M.
The rest should be labour-cost, isn't it? Which means $1000/h... Seems to be a good trade to be in.
Re:Where do I apply for the "HDD encryptor" positi (Score:4, Interesting)
I'd like to think that they use higher-grade drives than you buy at Fry's or where-ever. Would also assume RAID5 or better. Add in the fact they were probably plugged into a DMX or similar & $6M starts sounding reasonable.
Why they weren't encrypted from the start is the real question.
Umm... where's the news? (Score:4, Interesting)
Re:Punish them. (Score:5, Interesting)
Hospitals are complex places. Lots of staff, lots of data being transferred between systems some of which are insecure and there's nothing you can do about that, because they're required, and no competitors exist.
The main reason that the number of breaches in hospitals is as low as it is is because for the most part people don't target hospitals so relatively basic security functions. Now of course we have people doing it "for the lulz" or to prove some sort of point which makes health care even harder to do.
In a hospital environment you have to cater for doctors which no one other than the person running their accreditation even knows exist, nurses who view IT as a barrier between them and what they actually do, patients who want miracles, and health funds who seem to desire complexity for the sake of complexity. Connect all that up to IT products which haven't been updated since the mid 90's, never will be updated and can't be replaced because the group that would certify a competitor makes the product in question, add in vastly disparate WAN locations, a need for instant performance and 5 nines up time all on a shoestring budget and you'll start to get a picture of hospital IT.
In the end you really have to ask yourself, is it better or worse to risk having a portion of your medical record stolen, or to die because the doctors couldn't get the information they needed quick enough. Sadly that's about how the choices line up, hospitals aren't generally negligent, it's just the nature of the game.