George Hulme over at informationweek.com points towards a report by HITRUST where it's noted that the total cost of HIPAA/HITECH publicized breaches could be a little over $800 million. What's most surprising to me is how much of a positive effect drive encryption software like AlertBoot could have on the numbers.
As many following this blog know, in September 2009 the HHS started publicizing breach violations involving 500 or more, as required under the HITECH amendments to HIPAA. Nearly a year afterward, there are over 108 entries involving 4 million people (or rather, medical records). Of course, the cost of a breach is not reported to the HHS; it's not required and it's none of their business, really. But, people in the industry have enquiring minds, and enquiring minds want to know. So HITRUST applied the general cost of a data breach ($204/record per the latest Ponemon Report) and came up with an estimate of $834 million. It's a good guesstimate. On the one hand, there is criticism that the Ponemon Institute's figures are aggressive. I don't quite share this belief, but I understand the critics: the institute appears to have ties with the information security industry (collaborating with software vendors, carrying out studies for a vendor, etc). Isn't that natural, though? Who's going to pay for these reports? Not the guys busy trying to cover up their breaches. On the other hand, the above guesstimate is based on breaches involving 500 or more people. I'm pretty sure there are plenty of breaches involving less records, which should balance out any "aggressiveness" in the per record cost.
As many following this blog know, in September 2009 the HHS started publicizing breach violations involving 500 or more, as required under the HITECH amendments to HIPAA. Nearly a year afterward, there are over 108 entries involving 4 million people (or rather, medical records).
Of course, the cost of a breach is not reported to the HHS; it's not required and it's none of their business, really. But, people in the industry have enquiring minds, and enquiring minds want to know. So HITRUST applied the general cost of a data breach ($204/record per the latest Ponemon Report) and came up with an estimate of $834 million.
It's a good guesstimate. On the one hand, there is criticism that the Ponemon Institute's figures are aggressive. I don't quite share this belief, but I understand the critics: the institute appears to have ties with the information security industry (collaborating with software vendors, carrying out studies for a vendor, etc). Isn't that natural, though? Who's going to pay for these reports? Not the guys busy trying to cover up their breaches.
On the other hand, the above guesstimate is based on breaches involving 500 or more people. I'm pretty sure there are plenty of breaches involving less records, which should balance out any "aggressiveness" in the per record cost.
As impressive as hundreds of millions might be, perhaps we should turn our attention to what's not a guesstimate: what was involved in a breach. Looking at the cross-section of these categories and focusing first on simply the number of breaches experienced, the theft of laptops was the number one cause resulting in a total of 32 breaches reported. The next closest leading causes are theft of desktop computers and theft of removable media resulting in 10 and 12 breaches respectively. The total number of thefts reported is an astonishing 68 or 63% of all breaches. [informationweek.com, my emphasis] While I'm loathe to say the current sample at the HSS's site is representative of the "breach population" out there, it does show that that a big part of data breaches stem from the loss of digital devices with sensitive information such as PHI, protected health information. Such breaches can be curtailed substantially, using the one tool that the Department of Health and Human Services has deemed worthy of providing safe harbor from breach notifications, if used: encryption software. Whether it's a laptop computer, a desktop computer, an external hard drive, or even a USB memory stick, each one of these product categories can be protected with disk encryption.
As impressive as hundreds of millions might be, perhaps we should turn our attention to what's not a guesstimate: what was involved in a breach.
Looking at the cross-section of these categories and focusing first on simply the number of breaches experienced, the theft of laptops was the number one cause resulting in a total of 32 breaches reported. The next closest leading causes are theft of desktop computers and theft of removable media resulting in 10 and 12 breaches respectively. The total number of thefts reported is an astonishing 68 or 63% of all breaches. [informationweek.com, my emphasis]
While I'm loathe to say the current sample at the HSS's site is representative of the "breach population" out there, it does show that that a big part of data breaches stem from the loss of digital devices with sensitive information such as PHI, protected health information.
Such breaches can be curtailed substantially, using the one tool that the Department of Health and Human Services has deemed worthy of providing safe harbor from breach notifications, if used: encryption software.
Whether it's a laptop computer, a desktop computer, an external hard drive, or even a USB memory stick, each one of these product categories can be protected with disk encryption.
Related Articles and Sites:http://www.informationweek.com/blog/main/archives/2010/08/analysis_health.htmlhttps://www.hitrustcentral.net/blogs/ht/archive/2010/08/02/update-an-analysis-of-hhs-breach-data.aspx