The Security Scrutinizer with Howard Anderson

Massive UK Breach: A Call to Action?

It's Time to Consider Mobile Device Security Strategies

When British news media reported that an unencrypted laptop containing information on 8.63 million patients was missing from a National Health Service facility, jaws dropped here in the U.S.

Why would anyone store that much patient information on a portable device that could be lost or stolen? And why wasn't the information encrypted? Good questions. Maybe we'll find out more when the investigation is completed.

Will the incident serve as a wake-up call for U.S. healthcare organizations about the need to take adequate precautions for preventing breaches involving mobile devices? We'll have to wait and see. In the meantime, the list of security incidents on the federal "wall of shame," which displays many dozens of major breaches stemming from lost or stolen unencrypted mobile devices and media, keeps on growing.

Sanctions Needed

Security expert Kate Borten, president of The Marblehead Group, offers this observation: "Unless the U.K. government takes significant action against the NHS for this serious breach, which is not likely, the message to the U.S. healthcare industry is lost."

Too many healthcare organizations still have a sense that a breach "won't happen to us," Borten says. "Maybe the only thing that will cause all organizations to implement obvious security measures, such as encryption on portables, will be a breach that has a horrible impact on patients who then bring legal action and major publicity that doesn't fade away after a week."

Security consultant Mac McMillan, CEO at CynergisTek, says a significant ramping up of enforcement of HIPAA and HITECH Act regulations is needed. The U.K. incident, and the nearly 290 incidents on the U.S. "wall of shame," are indications that "security is not a priority," he argues.

"If it was a priority, we would never, ever put more than 8 million records on a laptop. You would think someone would have asked the question: 'Do the health records on more than 8 million individuals belong on a device that can be lost or stolen?'"

Healthcare organizations should carefully consider whether any patient information should be stored on mobile devices, he stresses. And if such data absolutely must be stored on a laptop, it's essential to encrypt it, he adds.

So has your organization considered whether to prohibit, or at least limit, the storage of patient information on mobile devices? And are all your mobile devices that store patient data equipped with encryption? Maybe it's time to check.

"I fear that the public and the industry are already numb to these breaches since they are common," Borten says. That's a scary thought, indeed.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.