Page 2 of 2
Small provider organizations and even larger research facilities often have a hard time addressing and maintaining security and lack adequately trained IT staff and a security officer with the level of authority needed to run an effective program, said Kate Borten, president of The Marblehead Group, a consultancy that specializes in healthcare security. Security hasn't advanced much over the last decade, Borten said. "This is all the tip of the iceberg because we still have organizations that don't understand what the security rules are all about," she said. "We still don't know if organizations are even recognizing and reporting breaches."
Other healthcare organizations have agreed to pay millions of dollars in fines for alleged HIPPA violations in 2012.
In September, the Massachusetts Eye and Ear Associates, Inc. agreed to pay $1.5 million HIPAA fine for the theft of an unencrypted laptop containing about 3,600 of its patients and research subjects, including patient prescriptions and clinical information. The Boston-based firm disclosed the breach, following the HITECH breach notification rules, but investigators found that the firm lacked a security program, failing to adequately implement policies and procedures for the removal of portable devices containing patient data.
Beth Israel Deaconess Medical Center in Boston underwent a similar breach when a laptop was reported stolen in May containing information on 3,900 patients. The hospital is reportedly encrypting more than 1,000 laptops in response to the breach.
In June the Alaska Department of Health and Social Services agreed to pay $1.7 million and said it would implement better security policies and procedures stemming from a 2009 theft of a USB hard drive possibly containing the data on 500 individuals from a computer technician's vehicle.