Insurance & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:24 PM
Connect Directly

Sloppy Security Practices Behind Recent Healthcare Data Breaches

Inadequate security practices exposed the personal health and other information of over 1 million people collectively through incidents that occurred in Utah, California and Washington, D.C.

The Utah Department of Technology Services (DTS) has processes in place to ensure that the state's data is secured, but a particularly server was not configured, leading to hackers removing the personal information of about 181,600 Medicaid and Children's Health Insurance Plan (CHIP) recipients. From within that number, 25,096 appear to have had their Social Security numbers compromised, according to a Utah DTS statement. The Utah incident followed two other healthcare data breaches reported last week. InformationWeek's Neil Versel reported on the theft of a laptop from Howard University including 34,000 unencrypted records and the loss of backup tapes containing records of 800,000 people enrolled in California Department of Child Support Services.

There may be no such thing as complete security in cyberspace, anymore than there is not in the bricks-and-mortar world. However, companies need to do better in where they store data and how they control access to it, suggests Tony Busseri, CEO of Route1, a Toronto-based security and identity management company. Tony had this to say in an exchange we had earlier today:

Securing critical information is paramount considering the inherent vulnerability of data being accessed by a growing mobile workforce.

For many organizations, adopting data entitlement practices may be the most powerful way to mitigate risks as well as the easiest path through which to address this problem. Gone will be the days of any employee being allowed to access and store sensitive information on personally owned devices.

Employees must have tools that provide them with a mobile computing experience identical to that when they are in the office -- with the exception of being able to extract data outside the enterprise firewall. Confidential data and information stored on personal devices, such as smartphones, tablets, laptops, and USB drives, are a liability waiting to happen and an open door for hackers, viruses or other external threats.

Data that is allowed to exit the network and be download onto mobile devices is infinitely more at risk than when it is stored behind the confines of the firewalls built to protect it. There are solutions that allow the mobile worker to view encrypted data that never exits the network -- at Route1 we call it 'protecting the fortress.'"

The second, critical issue we see time and time again is authentication methods. Identifying the individual accessing data can be just as important as where that data is stored. The time for true multifactor authentication is long overdue. Passwords and pin numbers are nowhere near enough.

Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek Financial Services of TechWeb he has written on all areas of information ... View Full Bio

Register for Insurance & Technology Newsletters