All the data breach headlines focus on hackers attacking unpatched servers and vulnerable networks as they try to steal valuable information from small and large companies. Large data breaches, like the recent revelations of stolen credit cards and email addresses from Home Depot and similar revelations from the US Postal Service, help solidify this in our minds.
The reality is that a large percentage of data breaches come from the theft or loss of a device with sensitive information on it. This seems to be most prevalent in the Healthcare industry where a stolen medical record could fetch as much as $50 on the open market. According to the California Data Breach Report released in October 2014, 70 percent of compromised health records since 2012 were the result of stolen or lost hardware or digital media containing unencrypted personal information. While stealing credit card information is a big deal, the financial industry has built-in safeguards to limit the liability a customer has for a lost or stolen credit card. Unfortunately, this is not so for our medical records.
Despite the recent headlines of hacker attacks on hospitals, only 23 percent of healthcare data breaches were a result of cybercriminals compromising networks and exfiltrating data. The criminals make the headlines, but they are not the major source of problems. Here are a few other statistics of significance:
– 48% of breaches involved a laptop, desktop, or mobile device
– 4% of breaches accounted for 80% of the total records compromised
This shows that healthcare organizations in particular need to secure protected health information (PHI) on laptops, desktops, mobile devices and removable media. If a PHI record is lost or stolen, consumers may be the victim of fraud, lost insurance coverage, higher premiums and the stress of trying to recover from the theft of one’s identity and information. If an identity thief changes patient medical information and a physician diagnoses a problem incorrectly, serious medical harm or even death can result.
The best approach to stopping this at the source is to secure the data, not the device. By securing sensitive data as it moves from server to network to endpoint device, the data is not compromised if the device is lost or stolen. If an unauthorized person tries to read the information, they won’t be able to access it without proper credentials. Organizations need to dynamically apply a security policy to the information so that access rights and permissions can be granted and revoked as business needs change. This means you could revoke access to a file immediately if you suspect it is compromised.
Preventing a data breach should be a priority for the Healthcare and other industries. Secure the data at the source and then you don’t have to worry about it being lost or stolen. That’s the best type of medicine you can get.
Photo credit sax