Dive Brief:
- The FBI has issued a private industry notification (PIN) to the health care industry, warning providers that their security is insufficient to meet the risk of cyberattacks.
- PINs are unclassified, but are usually distributed with a request that recipients keep their contents private.
- The PIN, dated April 8 and obtained by Reuters, notes: "The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely."
Dive Insight:
Across industries, scrutiny of data security is increasing in the wake of the Target breach and the discovery of the Heartbleed bug. Health care data, which represents some of the most sensitive and attractive information on the black market (social security numbers that can be used to obtain controlled substances, for example), is notoriously open to attack. Healthcare.gov has recently advised all users to change their passwords as a precaution, and HHS recently dunned QCA Health Plan of Arkansas and Humana subsidiary Concentra Health Services nearly $2 million in combined fines to settle potential HIPAA violations resulting from the theft of unencrypted laptops.
"Covered entities and business associates must understand that mobile device security is their obligation," OCR's deputy director of health information privacy Susan McAndrew said in an announcement. "Our message to these organizations is simple: encryption is your best defense against these incidents."