Last year, large data breaches in hospitals and health organizations led to the release of millions of private records. This is a growing problem, according to two security experts who spoke in an online presentation on Feb. 19. Speakers Mac McMillan, CEO of CynergisTek Inc., and Eran Farajun, executive vice president of Asigra, presented the current climate of IT security in health care and outlined upcoming legislative changes that organizations should be ready for.

According to McMillan, as health-care organizations transition toward electronic health records and the increased prevalence of bring-your-own-device (BYOD) policies, there are a lot of risks for IT managers to consider. The South Carolina Department of Health had records on more than 228,000 people compromised after an employee stole and emailed the data to a private email account. The Utah Department of Health was infiltrated from abroad when a hacker stole information on about 780,000 Medicaid patients and recipients of the Children's Health Insurance Plan. The hacker was reportedly able to access the information by guessing a weak password. These two high-profile cases are by no means exceptions, according to the presenters.

“We know that we're still averaging somewhere around 15 major breaches a month,” McMillan said, adding that the question is not if, but when an organization will be affected. “... the more due diligence we apply in our data protection activities the less risk we have of those things happening.”

IT leaders need to take a fresh look at how data is managed within an organization, McMillan explained, pointing to the risks inherent in storing data on mobile devices. “The question should really be asked, 'Should the data be on there in the first place?'. In other words, does the data need to live on a device or does the data just need to be presented on the device ...,” McMillan asked.

To help cut down on data breaches in health care, the U.S. Department of Health and Human Services (HHS) published updates in January to the Health Insurance Portability and Accountability Act (HIPAA) that dramatically shift the approach health organizations need to take with IT security. The changes, which take effect on March 26 and will be enforced starting Sept. 23, usher in new requirements for how health organizations handle data breaches. The new rules also change who is allowed access to different types of data, and redefine the term “data breach.” Things like more thorough documentation requirements are aimed at holding organizations to a higher standard of responsibility for the data they steward.

Currently an organization has no burden of proof following a data breach to show that data was or was not compromised, McMillan said, but this is about to change. “The final rule takes a 180[-degree] approach in that it makes the assumption there was a breach until the organization proves there was no compromise,” he said.

Transitioning to this new climate in a few short months will not be easy, McMillan said, especially with the limited resources available to health-care organizations. “This is something that the industry is really going to have to address from a leadership perspective as far as making a commitment to doing this correctly and providing their staffs and organizations with the things that they need to be successful,” he said.

Farajun suggested that health-care leaders should not be daunted by what can appear to be a huge task, and should seek help in meeting these new requirements. “There are solutions and methods and tactics to achieve the outcomes that they need to be doing," Farajun said. "They don't really have a choice anymore.”

Colin Wood  |  Staff Writer

Colin has been writing for Government Technology since 2010. He lives in Seattle with his wife and their dog. He can be reached at cwood@govtech.com