- Healthcare data encryption is a “particular imperative,” and one that should also be considered for other organizations when it comes to protecting personal data stored on laptops, desktop computers, and mobile devices, according to a recent report from the California Attorney General.
California Attorney General Kamala D. Harris released the California Data Breach Report earlier this week, explaining that with more personal information being stored online, “it is imperative that organizations employ strong privacy practices.”
“Foundational to those privacy practices is information security: if companies collect consumers’ personal data, they have a duty to secure it,” Harris explained in a statement released with the report. “An organization cannot protect people’s privacy without being able to secure their data from unauthorized access.”
According to the report, the California Attorney General has received 657 data breach reports, affecting a total of over 49 million Californian’s records. Moreover, 2015 saw 178 breaches that put over 24 million records at risk. That means approximately three in five Californians were data breach victims last year, the report explained.
“The majority of the reported breaches were the result of cyber attacks by determined data thieves, many of whom took advantage of security weaknesses,” states the report’s authors. “Breaches also resulted from stolen and lost equipment containing unencrypted data, and from both unintentional and intentional actions by insiders (employees and service providers).”
In terms of healthcare data security, the report showed that medical information was included in 19 percent of breaches from 2012 to 2015 affecting 18 million records, and payment card data was in 39 percent of breaches affecting 16 million records.
Furthermore, in that same time frame healthcare was found to be particularly vulnerable to physical breaches. However, malware and hacking did start to increase. The report’s authors credited this with an increase in EMRs. Medical information, such as patient records and Social Security numbers were the most vulnerable information in healthcare breaches as well.
Along with encouraging data encryption options for organizations of all sizes, in particular those in the healthcare industry, the report’s authors also recommended using multi-factor authentication on consumer-facing online accounts that contain sensitive personal information.
The report also highlighted the 20 controls in the Center for Internet Security’s Critical Security Controls. These controls “identify a minimum level of information security that all organizations that collect or maintain personal information should meet,” according to the recommendations.
It was also recommended that organizations encourage individuals who have been affected by a data breach of Social Security numbers or driver’s license numbers to place a fraud alert on their credit files. This option should be very prominent in the organization’s breach notices as well, the report’s authors explain.
Lastly, state policy makers should collaborate to ensure that state data breach laws align in key areas.
“Such an effort could reduce the compliance burden for companies, while preserving innovation, maintaining consumer protections, and retaining jurisdictional expertise,” the report states.
Data breach encryption was also underlined in last year’s data breach report. Furthermore, the report’s authors stated that the majority of healthcare data breaches in particular were preventable.
“An affordable solution is widely available – full disk strong encryption, to the standard set by the National Institute of Standards and Technology,” read the report. “This is a lesson that must be learned by the healthcare industry and applied not only to laptops and portable media as we recommended in last year’s report, but also to computers in offices.”
Desktop computers in particular should also be encrypted when they are shut down at night, according to last year’s report, and then decrypted the following morning. This will help keep data inaccessible even if the device is stolen.
“They owe it to their patients to do it now,” according to the report, adding that this is a measure that can be taken regardless of practice size or how many IT staff members are on-hand.