Over the past couple of days, I took the time to look over Verizon’s 2015 Protected Health Information Data Breach Report. (You can get it here, though you’ll have to register.)
While it contained many interesting data points and observation — including that 90% percent of the industries researchers studied had seen a personal health information breach this year — the stat that stood out for me was the following. Apparently, almost half (45.5%) of PHI breaches were due to the lost or theft of assets. Meanwhile, issue of privileges and miscellaneous errors came in at distant second and third, at just over 20% of breaches each.
In case you’re the type who likes all the boxes checked, the rest of the PHI breach-causing list, dubbed the “Nefarious Nine,” include “everything else” at 6.7%, point of sale (3.8%), web applications (1.9%), crimeware, (1.4%), cyber-espionage (0.3%), payment card skimmers (0.1%) and denial of service at a big fat zero percent.
According to the report’s authors, lost and stolen assets have been among the most common vectors for PHI exposure for several years. This is particularly troubling given that one of the common categories of breach — theft of a laptop — involves data which was not encrypted.
If stolen or lost assets continue to be a problem year after year, why haven’t companies done more to address this problem?
In the case of firms outside of the healthcare business, it’s less of a surprise, as there are fewer regulations mandating that they protect PHI. While they may have, say, employee worker’s compensation data on a laptop, that isn’t the core of what they do, so their security strategy probably doesn’t focus on safeguarding such data.
But when it comes to healthcare organizations — especially providers — the lack of data encryption is far more puzzling.
As the report’s authors point out, it’s true that encrypting data can be risky in some situations; after all, no one wants to be fumbling with passwords, codes or biometrics if a patient’s health is at risk.
That being said, my best guess is that if a patient is in serious trouble, clinicians will be attending to patients within a hospital. And in that setting, they’re likely to use a connected hospital computer, not a pesky, easily-stealable laptop, tablet or phone. And even if life-saving data is stored on a portable device, why not encrypt at least some of it?
If HIPAA fears and good old common sense aren’t good enough reasons to encrypt that portable PHI, what about the cost of breaches? According to one estimate, data breaches cost the healthcare industry $6 billion per year, and breaches cost the average healthcare organization $3.5 million per year.
Then there’s the hard-to-measure cost to a healthcare organization’s brand. Patients are becoming increasingly aware that their data might be vulnerable, and a publicly-announced breach might give them a good reason to seek care elsewhere.
Bottom line, it would be nice to see out industry take a disciplined approach to securing easily-stolen portable PHI. After years of being reminded that this is a serious issue, it’s about time to institute a crackdown.