» 

Blog

5 Ways Healthcare is Using Managed File Transfer

UTMC and AnMed HealthHealthcare organizations looking to improve secure file transfer processes have discovered the many advantages of Managed File Transfer (MFT) and the GoAnywhereTM Suite. Meeting regulatory compliance with HIPAA and HITECH, connecting multiple office locations or simply updating legacy systems all create excellent opportunities to evaluate the benefits of MFT.

"The medical environment is changing with new regulations and mandates to be addressed," says Scott Schwarze, manager of information services at the University of Tennessee Medical Center (UTMC). "We wished for a product that would do most of the heavy lifting."

  1. Eliminating Personnel Risk

    UTMC found itself in a vulnerable position when their only employee capable of maintaining complicated VB scripts became seriously ill. AnMed Health in Anderson, South Carolina recognized they were in a similar position with only one network staffer capable of setting up DOS batch transfers.

    "With a small staff but large output, the goal was something that all team members could be trained on," said Schwarze. Despite its extensive capabilities, GoAnywhere customers quickly discover the simplicity of scripting and troubleshooting tasks. Lisa Nanney, senior programmer analyst at AnMed Health adds, "when issues do arise, my operations staff can resolve the problem immediately."

  2. Proactive Notifications

    "Our old file transfer system did not offer automatic auditing," said Nanney. "Because we weren't proactive, it often took a call from a vendor to discover there was a problem." While AnMed Health uses notifications in GoAnywhere to raise alerts on file transfer issues, Cancer Registry of Greater California (CRGC) finds them invaluable in improving workflow.

    "We knew it was important to manage the flow of documents," states Cory Hamma, systems support manager for CRGC. When files are uploaded by a partner facility, employees are notified of each successful transfer. This establishes a procedure for timely attention to uploaded files and ensures that they don't go unprocessed.

  3. Reducing Menial Tasks

    One of AnMed Health's initiatives was to eliminate the need for third shift staffing. Their results using the efficient automation tools in GoAnywhere saved programming, operations and network staff over 500 hours a month.

    A Network Engineer who handled the FTP server spent at least 24 hours a month troubleshooting transfers. According to Nanney, "he doesn't even touch transfers now unless we need connection assistance."

    But Nanney didn't stop there. She went on to automate many of their insurance claims and payment processing. This recovered over 50 hours of Data Center time in addition to accelerating the recoup of payments.

    During the evaluation of existing FTP processes for migration to GoAnywhere, the UTMC staff discovered they could eliminate custom processes from the procedure. "By eliminating cut off times for output from SQL jobs, labor hours for SQL developers were cut in half," says Schwarze.

  4. Compatibility with Trading Partners

    When UTMC was evaluating file transfer solutions "we assumed going in that we could not impact vendors," stated Schwarze. "Most of the vendors provided an SFTP or FTPS connection for file transfers." Their modified policy stated that data must not only go over an encrypted connection, but the files need to be encrypted as well.

    Schwarze appreciated GoAnywhere's ability to connect to most systems using standard file transfer protocols. Files are then encrypted and compressed using Open PGP and other standards. He added, "HIPAA does not require the double encryption method, but we felt in this technology environment it would be prudent."

    AnMed Health had several vendors migrate to SFTP, which posed a problem with their old FTP server. "We do transfers with vendors now that would not have been possible without GoAnywhere," said Nanney.

  5. Replacing Inefficient Processes

    CRGC covers a population area of nearly 20 million residents across 48 of California's 58 counties. In order to transmit files between locations, they were utilizing a number of secure email subscription services. Hamma described this being problematic due to, "the file transfer size limitation, lack of organizational control, and complexity for remote users."

    "Many research files exceeded 1 GB in size," said Hamma, "so the ability to remove that barrier entirely was huge." GoAnywhere also resolved organizational control with its detailed audit logs that ensure accurate documentation of who, when and where files are accessed.

    For AnMed Health, something as simple as replacing green-bar reporting streamlines operations. Nanney's team now sends reports to a network drive mapped to the IFS, cutting paper costs and eliminating yearly maintenance for "one dinosaur of a printer".

Regardless of your industry, GoAnywhere's MFT Suite delivers real results to improve secure file transfer and collaboration processes. Talk to a representative today and discover what GoAnywhere can do for your organization. To read the full case studies, please visit the links below:


Video: How to Encrypt Files with OpenPGP Studio

Have you ever been asked to email a file that includes personal information like your prescription records, or your banking account information, or even your social security number? Many people share that kind of information over the internet and simply hope that it doesn't get hacked.

Download OpenPGP StudioLinoma Software, developer of the enterprise solution GoAnywhere™ Managed File Transfer Suite, has made it much easier to keep this kind of confidential data protected with its recently released desktop encryption tool called GoAnywhere OpenPGP Studio™.

This free PC tool is designed for people who occasionally need to share or store sensitive data. OpenPGP Studio lets users encrypt, decrypt, sign and verify files from their PCs or workstations. An integrated key manager allows anyone to quickly create, import, export and manage OpenPGP keys needed to encrypt and decrypt files. Best of all, it's intuitive so even those who claim to be "non-technical" can confidently use OpenPGP Studio.

Here's a video available on YouTube, that shows just how easy OpenPGP Studio is to use.

You can download OpenPGP Studio from the GoAnywhere website, and then let us know what you think! If you need a more robust solution that includes automation, check out the GoAnywhere suite of products.


Healthcare Industry Still Lags in Protecting Data

As healthcare information security requirements and penalties get tougher, a great deal of discussion is focused around how well the healthcare industry is securing patient data.

healthcare data security survey results

The general consensus is that the industry still has a long way to go. One of the industry's publications, Healthcare InfoSecurity, released the results of the Healthcare Information Security Today survey sponsored by RSA which took an in-depth look at security and IT practices of senior executives in the healthcare industry.

<< click on the image to learn more  

 

The survey reviews many information security topics including

  • Impact of a data breach
  • Security threats
  • Compliance and steps to improve security
  • Risk assessment

Some of the responses surprised us on how far healthcare companies need to go for proper HIPAA compliance. Take a look at these statistics:

  • 55% of respondents were not confident in their organization's ability to comply with HIPAA and HITECH Act regulations concerning privacy and security (grading themselves adequate or less).
  • 66% responded that their organization's ability to counter internal information security threats was adequate or less.
  • Only 47% of survey participants utilize encryption for information accessible via a virtual private network or portal.
  • 32% of respondents have not conducted a detailed information technology security risk assessment/analysis within the past year with 47% updating their risk assessment only periodically.

The good news is that the survey shows that healthcare organizations are taking steps in the right direction to improve their security practices.

  • 37% of organizations' budgets for information security are scheduled to increase over the next year.
  • 40% of respondents plan to implement audit tool or a log management solution within the next year.

When asked what their organization's top three information security priorities are for the coming year, the top responses included

  • Improving regulatory compliance efforts
  • Improving security awareness/education
  • Preventing and detecting breaches

Healthcare IT teams will need updated security policies, comprehensive training for employees, and reliable tools and solutions that can deliver functionality, ease of use, audit reporting, and efficient workflows that protect the security of confidential data at rest and in motion.

The pressure is growing, compliance audits are looming, and tackling these issues are just part of the evolution of the healthcare industry.  


New Protections for Patient Data Increase Pressure For Trading Partners to Get Compliant

Yet another layer of regulation has been added to the Health Insurance Portability and Accountability Act (HIPAA) that offers even greater protection for healthcare patients' privacy, while also defining new rights regarding how they can access their health records.

meet HIPAA compliance regulationsThe biggest change is the expansion of HIPAA compliance requirements to include trading partners and third parties who also handle patient data, such as billing companies, contractors, and more.  The U.S. Department of Health and Human Services (HHS) reports that these third parties have been responsible for several significant data breaches which is one reason the responsibility for compliance has been extended to this group.

Penalties for violating HIPAA compliance rules will be assessed based on the determined level of negligence, and can go as high as $1.5 million per incident.

Other issues addressed with the latest additions to the HIPAA regulations include more clarity in defining which types of breaches need to be reported, as well as how patients will be allowed to access and interact with their health records electronically.

If you're concerned about whether your FTP server meets compliance regulations, join us for a webinar on Thursday, Jan. 31 at Noon Central entitled "Get Your FTP Server in Compliance!"  You can learn more about the agenda for this webinar here.

For more information about the new HIPAA rules, check out the press release from HHS.


Healthcare Data Breaches on the Rise

Stories of data breaches across all industries continue to make the news, and nowhere is the pressure greater to keep data safe than on healthcare IT managers.

Healthcare IT News states that health data breaches increased by 97% in 2011. The 2012 Data Breach Investigations Report from Verizon's RISK team confirmed that over 174 million records were reported as compromised, mostly as the result of hackers accessing the data. According to the Identity Theft Resource Center 2011 Breach Stats Report, 20% of all data breaches in 2011 were in the healthcare industry.

data breach statistics for 2012

What is most startling about this report is that, according to the RISK study, 97% of these cases could have been avoided through simple or intermediate security controls.  The graphic (see right) is one of the many included in Verizon's study.

Because the most common place where data is compromised is from corporate databases and web servers, hackers who gain access to these vulnerable areas are mining this data for private information such as social security numbers, birthdates and credit card information.

Studies like these underscore the importance of establishing network security perimeters and implementing procedures that protect the privacy of  patients' information residing on these servers.

IT managers must be vigilant to combat hackers' ever more sophisticated tools and methods, and that begins with better security procedures at the office.

Security Policy and Procedures Document

The first step in ramping up security is to write and formalize a security policy and procedures document that addresses best practice protocols and that encompasses applicable HIPAA and HITECH regulations.

Next, all employees must be trained and expectations for compliance made clear,  because it takes a concerted effort on everyone's part to ensure the required protections are implemented consistently.

Secure Data Files In Motion

One of the more popular ways for hackers to capture sensitive data is via the movement of files and documents across the Internet.  In an earlier blog post, we talked about how standard FTP is commonly used to send files. However, FTP sends the files in unencrypted form, and offers no protection for the server's login credentials. Once those credentials are captured, hackers can use them to access the FTP server to mine additional data files.

While managing the security of all of the files in the office may seem overwhelming, Managed File Transfer solutions can simplify this task. Used in conjunction with a reverse proxy gateway, a much greater security perimeter is formed around the network, servers and the sensitive data that need protection.


Building a Framework for HIPAA and HITECH Compliance

HITECH laws were enacted to up the ante on healthcare organizations to meet HIPAA legal compliance for data security and privacy, which, of course puts an additional burden on IT to make sure all bases are covered.  But regardless of the rigors of enacted laws, compliance doesn't happen overnight. It takes diligence and continued effort to understand and address all necessary requirements. To avoid the potential penalties of breaking HIPAA and HITECH laws, losing the confidence of patients and partners, and incurring hefty penalties, a focused, deliberate, measured plan is essential.

In addition to becoming familiar with HIPAA and HITECH regulations (a good place to start is the HHS.gov website), it's critical to meet with your security and management team and make decisions as to how your organization can best protect sensitive healthcare information. One of the first places to start this process is to fully document your department's own security policy and procedures.  This provides the foundation from which to train internal users in understanding and complying with the HIPAA and HITECH rules. In fact, having a security policies and procedures document is a requirement by HIPAA and HITECH.

If you don't currently have your security policies and procedures documented, one option for finding a good template is to Google the term, "IT Security Policies and Procedures." You will find free downloadable templates that give you a basic outline to follow.

If you already have this document in place, keep in mind it needs to be treated as a living document, to be changed and updated often as circumstances and requirements change.  Make a point to do a yearly, if not a bi-yearly, review.

Of course, documentation of security policies is only a start. You need to procure and implement proven security tools across your enterprise to protect your data -- whether the data resides on a server or is being transmitted across a network or the Internet.  A less-than exhaustive list of necessary IT security tools for ensuring compliance:  

 

  • Firewall - This security measure prevents intrusion into the private network from unauthorized outside viewers.
  • Email encryption  - To meet privacy requirements, email communications that contain private data must be encrypted.
  • Malware protection - This step keeps spyware/malware from infecting PCs and servers containing private data.
  • FTP communications - Managed file transfer solutions are designed specifically to provide encryption, logging and automation tools that make sure the sensitive data is secured and tracked while in motion, while reducing the time to manage all incoming and outgoing transactions
  • Backup protection - Backup files and tapes need to be encrypted and otherwise secured to make sure sensitive data can't fall into the wrong hands
  • Data shielding - Sensitive fields need to be encrypted or hidden to ensure that it can't be viewed or extracted by unauthorized viewers. A good data encryption product can also encrypt data on backup tapes as well sensitive data that might be shown in on-screen applications.
  • Physical facility protection - Server rooms, fax/copy/printer rooms, workstations all must be  considered when protecting sensitive data that is printed on paper or residing on servers or PCs.
  • Telephone and online communications - Anyone involved in telephone, online chat or discussion groups needs to be trained to be sensitive to privacy regulations and exposing sensitive information.

 

As you can see, there are several aspects of compliance to HITECH and other laws that need to be considered and addressed.  Healthcare professionals and organizations need to take their patients' privacy seriously, whether in the hospital, physician office or in electronic format on servers and digital communications with others.


HITECH Compliance Offers Challenges for IT

Outside of the finance industry, healthcare is one of the most regulated industries in the U.S.  As the healthcare policy debates rage on, one issue on which most Americans can agree is the need to keep personal healthcare information confidential and secure.

Major regulations such as HIPAA and HITECH have been passed into law to increase the security of our personal health information.  For better or worse, a major portion of the burden to comply with the regulations and all of their revisions falls upon the IT professionals.

HIPAA and HITECH: a brief overviewHITECH, data security, compliance

While HIPAA (Health Insurance Portability Accountability Act), passed in 1996, has received the most attention (see our blog), the more recently implemented HITECH law is quickly having an impact.

HITECH (Health Information Technology for Economic and Clinical Health Act) was passed into law in 2009. The goal for the  HITECH is to strengthen the civil and criminal enforcement of already existing HIPAA regulations that require health organizations and their business partners to report data breaches.  HITECH also increases the penalties for security violations, and implements new rules for tracking and disclosing patient information breaches.

Data breach notification

Under HITECH rules, all data breaches of PHI (protected health information) must be reported to the individuals whose data was compromised. This includes reporting files that may have been hacked, stolen, lost or even transmitted in an unencrypted fashion.  If such a breach -- or potential breach -- affects 500 people or more, the media must also be notified.   Breaches of all sizes must always be reported to the Secretary of Health and Human Services (HHS), but if fewer than 500 individuals' records are affected, healthcare organizations can report the breach via the HHS website on an annual basis.  Larger breaches must be reported to HHS within 60 days.

Penalties for data breach

The HITECH Act implements a four tier system of financial penalties assessed based on the level of "willful neglect" a healthcare organization demonstrated resulting in the breach. Fines range from  $100 per breached record for unintended violations all the way up to $50,000 per record (with an annual cap of $1.5 million) when "willful neglect" is demonstrated.

Access to electronic health records (EHRs)

HITECH requires that the software that a health organization uses to manage its EHRs must make a person's electronic PHI records available to the patient and yet remain protected from data breach by encrypting the data and securing the connection.  Not surprisingly, email is not considered a secure method of data transmission.

Business associates

Before HITECH,  business associates of healthcare organizations were not held directly liable for privacy and security under the HIPAA rules, even though they had access to PHI.  HITECH now requires that all business associates with access to PHI are subject to the HIPAA rules and must maintain Business Associate Agreements with the healthcare organization that provides the PHI.  Business associates are also required to report any data breaches and are subject to the same penalties as their healthcare business partners.


Top 10 Healthcare Data Breaches in 2010

Most data breaches are caused by simple acts of carelessness.

Last March the Ponemon Institute released its findings for the 2010 Annual Study: U.S. Cost of a Data Breach. The study -- based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors -- revealed that data breaches grew more costly for the fifth year in a row. They jumped from $204 per compromised record in 2009 to $214 in 2010.

The increase in cost, however, pales in comparison to the reputational cost of companies that have been victimized, particularly in the healthcare sector.

HITECH builds Wall of Shame

Consider that the U.S. Department of Health and Human Services has begun posting the data breaches affecting 500 or more individuals as required by section 13402(e)(4) of the HITECH Act.  The New York Times has labeled this site "The Wall of Shame".  Why? Because if patients have no faith in electronic record-keeping, the future of healthcare record automation will be jeopardized: Law suits and government regulation will bury any cost-savings.

The Back Stories of Healthcare Data Breaches

What are the stories behind the most severe healthcare sector data breaches reported in 2010?  Here are the ten most expensive stories, in ascending order of cost, documented in the Privacy Rights Clearing House database. While they're sober reminders of the problem of keeping data secure, they're also instructive: none of these breaches were malicious hacks, but were instead the results of theft, poor record-keeping policies, and simple human error.

(Note that the estimate of liability uses the $214/ record cost identified by the Ponemon Institute in its annual report. We have purposely not published the names of the reporting institutions.)

10th Most Expensive: Physician Computer Theft Exposes 25,000

On June 29th of 2010 a thief stole four computers from a physician specialist's office in Fort Worth, Texas.  This theft resulted in an estimated 25,000 patient records being exposed.  The patient records contained addresses, Social Security numbers and dates of birth. Estimated liability: $5,350,000.

9th: Medical Center Theft Exposes 39,000

On the weekend of May 22nd, 2010 two computers were stolen from a medical center in the Bronx. Names, medical record numbers, Social Security numbers, dates of birth, insurers, and hospital admission dates of patients were known to be on the computers.  Total records compromised: 39,000. Estimated liability: $8,346,000.

8th: Optometrist's Computer Theft Exposes 40,000

A computer stolen from an Optometry office in Santa Clara, California on Friday April 2nd, 2010 contained patient names, addresses, phone numbers, email addresses, birth dates, family member names, medical insurance information, medical records, and in some cases, Social Security numbers. Though the files were password protected, they were not encrypted.  A total of 40,000 records were lost, with an estimated liability of $8,560,000.

7th: Medical Records Found at Dump Expose 44,600

Medical records were found at a public dump in Georgetown, Massachusetts on August 13th, 2010. The records contained names, addresses, diagnosis, Social Security numbers, and insurance information. A medical billing company that had worked for multiple hospitals was responsible for depositing the records at the dump. The exposure required the hospitals to notify patients - an effort that continues to this date.  The total number of records known to have been exposed is 44,600, but the search continues.  Estimated liability: $9,544,400.

6th: Consultant Laptop Stolen Exposing 76,000

On March 20th, 2010, in Chicago, Illinois, a contractor working for a large dental chain found his laptop stolen.  The computer held a database containing the personal information of approximately 76,000 clients, including first names, last names and Social Security numbers. Estimated liability: $16,264,000.

5th: Lost CDs Expose 130,495

On June 30th, 2010 a medical center in the Bronx reported that it had failed to receive multiple CDs containing patient personal information that was sent to it by its billing associate.  These CDs were lost in transit. Information of 130,495 patients included the dates of birth, driver's license numbers, descriptions of medical procedures, addresses, and Social Security numbers.  Estimated liability of $27,925,930.

4th: Portable Hard Drive Theft Exposes 180,111

In Westmont, Illinois, a medical management resources company reported on May 10, 2010 that a portable hard drive had been stolen after a break-in.  The company believes the hard drive contained personally identifiable information about patients including name, address, phone, date of birth, and Social Security number. The company acknowledged that this hard drive had no encryption.  As a result, 180,111 records were exposed, creating an estimated liability of $38,543,754.

3rd: Leased Digital Copier Leaks 409,262

On April 10th, 2010 a New York managed care service in the Bronx reported that it was notifying 409,262 current and former customers, employees, providers, applicants for jobs, plan members, and applicants for coverage that their personal data might have been accidentally leaked through a leased digital copier. The exposure resulted because the hard drive of the leased digital copier had not been erased when returned to the warehouse. Estimated liability: $87,582,068.

2nd: Training Center Hard Drive Theft Center Exposes 1,023,209

The theft of 57 hard drives from a medical insurance company's Tennessee training facility in October of 2010 put at risk the private information of an estimated 1,023,209. customers in at least 32 states. The hard drives contained audio files and video files as well as data containing customers' personal data and diagnostic information, date of birth, and Social Security numbers, names and insurance ID numbers. That data was encoded but not encrypted. Estimated liability to date: $218,966,726.

Most Expensive of 2010: Two Laptops Stolen Exposes 860,000

A Gainsville, Florida health insurance company reported in November of 2010 that two stolen laptops contained the protected information of 1.2 million people.  This is an on-going story, as new estimates are calculated.  To date, the estimated liability is $256,800,000.

Preventing Exposure: Data Encryption

These cases document that the majority of the data breaches which occurred in 2010 were not the result of hacking activities, or even unauthorized access by personnel. The greatest data losses were simply the result of computer theft of portable devices and misplaced media.  Had the contents of the files been encrypted, this could have significantly reduced the risks and liabilities of these data losses.

Time and time again, industry experts point to data encryption as the key method by which organizations can prevent inadvertent exposure of sensitive data.

Of course, no healthcare organization wants to be listed on the US Department of Health and Humans Services' Wall of Shame.  And the costs - in dollars and in reputation - can be extraordinary.

Isn't it about time your management got serious about data encryption?


Managed File Transfer Streamlines HIPAA/HITECH Complexity

Managed File Transfer (MFT) systems are great for policy enforcement, access authentication, risk reduction, and more. But for HIPAA and HITECH requirements, MFT shines as a work-flow automation tool.

MFT as the B2B Enabler

It shines because Managed File Transfer systems are actually automation platforms that can help companies streamline the secure transfer of data between business partners. How? It removes many of the configuration steps traditionally required for complex Business-to-Business (B2B) processes, keeping it straightforward and manageable.

Transferring patient information is a difficult challenge which many healthcare institutions are facing. Data standards were supposed to simplify this communication between healthcare institutions and their partners. But ask any technical professional about the underlying variability of data formats, and you'll hear a tale of potential confusion and complexity.

Nightmares of Compliance

The HITECH regulations within HIPAA require the security and privacy of healthcare records, strongly suggesting the use of data encryption. These records may travel between various healthcare-related partners including hospitals, clinics, payment processors and insurers. Each partner may require their own unique data format, and each may prefer a different encryption technique or transport protocol.

Considering these differing requirements, adding each new trading partner has traditionally needed the attention of in-house programming or manual processes, which has become hugely inefficient. Furthermore, if the new trading partner is not implemented properly, this can also create the potential for errors that may lead to data exposures. Any exposures could move the healthcare institution out of HIPAA/HITECH compliance and may cost them severely.

Simplifying and Integrating Information Transfer

A Managed File Transfer (MFT) solution can significantly reduce the potential for errors and automate those processes. With a good MFT solution, any authorized personnel should be able to quickly build transfer configurations for each healthcare business partner. This should allow for quick selection of strong encryption methods (e.g. Open PGP, SFTP, FTPS, HTTPS) based on the partner's requirements, so that HITECH requirements are maintained. At the same time, a MFT solution creates a visible audit trail to ensure that compliance is sustained.

But, perhaps just as important, a good Managed File Transfer solution is constructed as a modular tool that can be easily integrated into existing software suites and workflow processes. In fact, a good MFT is like a plug-able transfer platform that brings the variability of all kinds of B2B communications under real management.

Now extend the MFT concept beyond the healthcare business sector, into manufacturing, finance, distribution, etc. Suddenly MFT isn't a niche' utility, but a productivity and automation tool that has myriad uses in multiple B2B environments.

A Day-to-day Technical Solution

Perhaps this is why the Gartner Group has identified Managed File Transfer as one of the key technologies that will propel businesses in the coming years. It's more than just a utility suite: It's a system that can be utilized over and over as an integral part of an organization's solutions to automate and secure B2B relationships. In other words, MFT isn't just for specialized compliance requirements, but a lynch-pin of efficient B2B communications technology that can bring real cost savings to every organization.

Healthcare Case Study Utilizing a MFT Solution: Bristol Hospital Takes No Risks with Sensitive Data


Who is Protecting Your Health Care Records?

Patient Privacy in JeopardyHealth Care Records

How important is a patient's privacy? If your organization is a health care facility, the instinctive answer that comes to mind is "Very important!" After all, a patient's privacy is the basis upon which the doctor/patient relationship is based. Right?

But the real answer, when it comes to patient data, may surprise you. According to a study released by the Ponemon Institute, "patient data is being unknowingly exposed until the patients themselves detect the breach."

The independent study, entitled "Benchmark Study on Patient Privacy and Data Security" published in November of 2010examined  the privacy and data protection policies of 65 health care organizations, in accordance with the mandated Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. HITECH requires health care providers to provide stronger safeguards for patient data and to notify patients when their information has been breached.

Patient Data Protection Not a Priority?

According to the study, seventy percent of hospitals say that protecting patient data is not a top priority. Most at risk is billing information and medical records which are not being protected. More significantly, there is little or no oversight of the data itself, as patients are the first to detect breaches and end up notifying the health care facility themselves.

The study reports that most health care organizations do not have the staff or the technology to adequately protect their patients' information. The majority (67 percent) say that they have fewer than two staff members dedicated to data protection management.

And perhaps because of this lack of resources, sixty percent of organizations in the study had more than two data breaches in the past two years, at a cost of almost $2M per organization. The estimated cost per year to our health care systems is over $6B.

This begs the question: Why?

HITECH Rules Fail to Ensure Protection

HITECH encourages health care organizations to move to Electronic Health Records (EHR) systems to help better secure patient data. And, indeed, the majority of those organizations in the studies (89 percent) said they have either fully implemented or planned soon to fully implement EHR. Yet the HITECH regulations to date do not seem to have diminished security breaches at all, and the Ponemon Institute's study provides a sobering evaluation:

Despite the intent of these rules (HITECH), the majority (71 percent) of respondents do not believe these new federal regulations have significantly changed the management practices of patient records.

Unintentional Actions - The Primary Cause of Breaches

According to the report, the primary causes of data loss or theft were unintentional employee action (52 percent), lost or stolen computing device (41 percent) and third-party mistakes (34 percent).

Indeed, it would seem that - with the use of EHR systems - technologies should be deployed to assist in these unintentional breaches. And while 85 percent believe they do comply with the loose legal privacy requirements of HIPAA, only 10 percent are confident that they are able to protect patient information when used by outsourcers and cloud computing providers. More significantly, only 23 percent of respondents believed they were capable of curtailing physical access to data storage devices and severs.

The study lists 20 commonly used technology methodologies encouraged by HITECH and deployed by these institutions, including firewalls, intrusion prevention systems, monitoring systems, and encryption. The confidence these institutions feel in these technologies are also listed. Firewalls are the top choice for both data breach prevention and compliance with HIPAA. Also popular for accomplishing both are access governance systems and privileged user management. Respondents favor anti-virus and anti-malware for data breach prevention and for compliance with HIPAA they favor encryption for data at rest.

The Value of Encryption

The study points to the value of encryption technologies - for both compliance purposes and for the prevention of unintended disclosure - and this value is perceived as particularly high by those who participated in the study: 72 percent see it as a necessary technology for compliance, even though only 60 percent are currently deploying it for data breach prevention. These identified needs for encryption falls just behind the use of firewalls (78 percent), and the requirements of access governance (73 percent).

Encryption for data-at-rest is one of the key technologies that HITECH specifically identifies: An encrypted file can not be accidentally examined without the appropriate credentials. In addition, some encryption packages, such as Linoma's Crypto Complete, monitor and record when and by whom data has been examined. These safeguards permit IT security to audit the use of data to ensure that - should a intrusion breach occur - the scope and seriousness of the breach can be assessed quickly and confidently.

So how important is a patient's privacy? We believe it's vitally important. And this report from the Ponemon Institute should make good reading to help your organization come to terms with the growing epidemic of security breaches.

Read how Bristol Hospital utilizes GoAnywhere Director to secure sensitive data.