Healthcare organizations need to “serve as their own watchdog” to increase security and decrease data breaches, a new report from IT security audit firm Redspin concludes. The increase in “bring your own device” policies at various hospitals, in addition to the continued implementation of electronic health record systems, are too much for government alone to regulate, the report’s authors say. The report digs into the latest major data breach figures–those breaches impacting 500 or more individuals–released by the U.S. Department of Health & Human Services’ Office for Civil Rights. With the addition last week of the 2011 Sutter Health breach, which impacted 4.2 million patients, the number of major healthcare information breaches now sits at 385 since 2009.

“The Federal government is unlikely to mandate that all portable devices that store [electronic personal health information] be encrypted, but it’s an obvious and sensible policy for a healthcare organization to adopt,” the authors say. “Taking it further, why not require that all mobile devices in the healthcare workplace be encrypted, even if ePHI is not allowed on them?” According to the report, nearly 40 percent of all major PHI breaches occurred on a laptop or other portable media device, a problem the authors say isn’t likely to go away anytime soon. “Portability is here to stay,” the write. “The BYOD revolution is well underway, yet 50 percent of respondents in a recent healthcare IT poll say nothing is being done to protect data on those devices.”


Have you received a breach notification letter from your health care provider?  If you have, then you may already be a victim of identity theft.  What should you do after you receive a breach notice?  For more information contact data security attorney Micah Adkins 24/7 for a free consultation.