amednews: Small medical practices greatly at risk for data breaches :: Jan. 16, 2012 ... American Medical News

from amednews: Small medical practices greatly at risk for data breaches :: Jan. 16, 2012 ... American Medical News:

Data breach experts are issuing a warning to small practices -- don't be the vulnerable target that data thieves assume you are.

The Top Cyber Security Trends for 2012, as compiled by Kroll's Cyber Security and Information Assurance, reported that small practices are more susceptible to security vulnerabilities because they are "the path of least resistance." Many rely on outdated technology. Basic security protections, such as proper use of encryption, often are overlooked as practices focus on meeting regulatory requirements, such as those related to meaningful use. (See correction)

• Links
• See correction
• See related content

Small practices often lack the technical sophistication to know what tools to put in place to avoid attacks, said Jason Straight, managing director of Kroll's Cyber Security and Information Assurance unit. Or they have the right tools, but the tools are not implemented or monitored correctly, he said. One example is having incorrectly installed data encryption.

Large organizations have become more "hardened," meaning they spend more money to safeguard their data, said Beth Givens, founder and director of the Privacy Rights Clearinghouse, an education and advocacy group that has tracked publicly reported data-breach trends across all industries since 2005. "It only stands to reason [that data thieves] would go after small practices," she said.

Breach experts have long said medical data are among the most valuable because of the depth of the information. To thieves, small organizations are often the easiest source of this data because they lack the sophisticated security measures used by their larger counterparts. Because nearly three-quarters of practices are one- or two-doctor operations, there are simply more of them to target compared with large organizations. The advice given to practices is to take steps to ensure they aren't the victims of a breach.

The costs of a breach

Three of the six most significant data breaches in 2011 occurred at health care organizations, resulting in 11 million patient records being put at risk, according to a year in review report published in December 2011 by the Privacy Rights Clearinghouse.

Givens said medical data are valuable to thieves because of "the triple whammy" -- sensitive medical information, financial data and other identifying data that can be used for identity theft.

3 of the 6 biggest data breaches of 2011 were at health care organizations, putting 11 million patient records at risk.

When a breach occurs, the practices are faced with the cost of notifying all of the affected patients and usually paying for identity theft and credit monitoring for them. The per-patient costs associated with a breach have risen to more than $200 in 2011 for notification and loss of income, according to the Ponemon Institute, a privacy research center based in Traverse City, Mich.

Many breaches also bring to light deficient IT systems that the practice must replace immediately. In addition, the practices could face fines from the Dept. of Health and Human Services.

Although breaches at large medical organizations often get more media attention because of the sheer number of records involved, that shouldn't be an indication that small practice owners are in the clear, experts say.

It's hard to put an exact number on small practice breaches because breaches generally are categorized by industry and not broken down by practice size, Givens said. There's also a good chance many of the breaches in small practices aren't reported because they don't fall under the state or federal reporting requirements. For example, California doesn't require the reporting of paper breaches, and HHS doesn't require the reporting of breaches affecting fewer than 500 people.

A query of the HHS breach database and the Privacy Rights Clearinghouse's database shows dozens of cases involving individual physicians and small medical practices that were victims of cyber attacks in 2011. Cases include the hacking of network servers, office burglaries, inside data thefts, and incidents caused by information technology problems that may have been malicious attacks or errors that resulted in data exposure. Givens said she is sure there are "a lot more breaches than are posted on our website."

[Continue Reading]

CDW: Healthcare sector to lead IT spending | Healthcare IT News

From Healthcare IT News

October 20, 2011 | Molly Merrill, Associate Editor

VERNON HILLS, ILL – In the midst of economic uncertainty, IT decision-makers in the healthcare industry report expected growth in overall IT budgets and hiring, according to the latest CDW IT Monitor.

While the latest wave of the CDW IT Monitor noted numerous fluctuations among sectors and industries surveyed, the comprehensive figures indicate that, on the whole, IT sentiment is holding steady. The Six Month Growth Outlook, which measures long-term anticipated investment, decreased one point from June, to 67, and was unchanged from one year ago.

[See also: Analysts forecast moderate growth for health IT]

“Despite ongoing economic uncertainties, the overall outlook remains relatively stable,” said Neal Campbell, senior vice president and chief marketing officer, CDW. “This shows that while IT decision-makers are evaluating and scrutinizing their investments, they are still spending, especially in areas such as software and security."

In the corporate sector, 22 percent of small business IT decision-makers predict budget increases in the next six months, gaining three percentage points from June. Additionally, small businesses anticipate more near term spending and are expecting to increase software investments by six percentage points and solutions investments by five percentage points over the next six months.

Leading the corporate sector, 66 percent of healthcare IT decision-makers anticipate budget increases in the next six months. Ninety-two percent expect to purchase hardware and software, while 66 percent foresee investments in solutions in the next six months. The healthcare industry also continues to see an uptick in hiring, up 24 percentage points since June.

[See also: Health IT No. 1 on list of top 10 'hot' careers]

Despite eight and 10 percentage point budget declines at the state and federal levels of government respectively, 29 percent of local government IT decision-makers foresee budget increases in the next six months, up seven percentage points from June. Local government is less bullish on long-term hardware and software spending, but expects to increase both one-month and six-month spending levels in IT solutions by four percentage points over June.

While six-month anticipated hardware spending dropped among medium and large-size businesses, 87 percent of medium and 90 percent of large-size businesses are still committed to hardware investments. On the software front, demand over the next six months slipped four percentage points for medium-size businesses to 84 percent, while investments at large-size businesses held steady at 91 percent.

Hardware and software investments over the next six months are expected to increase for state and federal government. According to the latest CDW IT Monitor, hardware investments at the state level will increase one percentage point to 84 percent and five percentage points at the federal level to 90 percent. The six-month outlook for software climbed five percentage points for government organizations at the state and federal levels, reaching 82 percent and 91 percent, respectively.

Investments in IT solutions remain a priority in both corporate and government; however, the weak budget outlooks did impact spending potential in the next six months. In the IT solutions category, security now tops the list of IT decision-makers' priorities. Fifty-nine percent of those IT decision-makers who are spending more on solutions this month will spend on security.