Following the news about theft of NFL former players’ medical records, security experts from VASCO and Balabit commented below.
Michael Magrath, current Chairman, Director of Healthcare Business at VASCO Data Security:
“This is a clear example that healthcare breaches are not isolated to healthcare organizations. They apply to employers, including the National Football League. Teams secure and protect their playbooks and need to apply that philosophy to securing their players’ medical information.
“Laptop thefts are common place and one of the most common entries (310 incidents) on the HHS’ Office of Civil Rights portal listing Breaches Affecting 500 or More Individuals. Encryption is one of the basic requirements to securing a laptop, yet organization continue to gamble without it and innocent victims can face a lifetime of identity theft and medical identity theft.
“Assuming the laptop was Windows based, security can be enhanced by replacing the static Windows password with two-factor authentication in the form of a one-time password. Without the authenticator to generate the one-time password, gaining entry to the laptop will be extremely difficult. By combining encryption and strong authentication to gain entry into the laptop the players and prospects protected health information would not be at risk, all because organizations and members wish to avoid few moments of inconvenience.”
* NOTE: HIMSS is the Healthcare Information Management Systems Society, the global non-profit leading efforts to optimize health engagements and care outcomes using information technology.
Matthew Ravden, Chief Marketing Officer and VP at Balabit:
Cybercrime today is big business, and organizations of all sizes are fighting to keep pace with the frightening sophistication of professional hackers. But while millions of dollars are spent reinforcing defenses and putting in place tools to spot insider breaches and APT attacks, these systems can’t legislate for careless human behavior. Sensitive data such as player medical records should never be stored on a mobile device, unencrypted or not. This isn’t just a violation of HIPAA regulations, it’s a violation of trust.