Your Doctor May Cause A Data Breach

Your Doctor May Cause A Data BreachTodays headlines point to hackers and other criminals as the major causes of data breaches, but in fact a lot of the trouble starts with trusted employees.  And one of the most trusted in your life is your doctor.

Recent reports by Manhattan Research have found that 81% of physicians use a smartphone, up from 72% in 2010.  30% of doctors use iPads to access electronic health records and communicate with patients.  Unfortunately according to research by the Ponemon Institute, data breaches have risen 32% with 96% of all health care organizations surveyed experiencing at least one data breach in the past two years.

The report did not specify the percentage of breaches from mobile devices, but it stated, “Widespread use of mobile devices is putting patient data at risk.”  Larry Ponemon, commenting on his first study of patient privacy and data security, said, “This year it seems the issue of mobile devices has ratcheted up, because the adoption rate of smartphones that are really smart, or tablet computers, seems to have increased significantly.”

Mobile devices create security risks in two ways.  Data can reside on the device and someone using the device can access medical records at health care organizations.  Any document or piece of data that contains personally identifiable information (PII) is at risk.  Plus it’s easier to lose a smartphone than a laptop.

In its most recent US Cost of a Data Breach report, the Ponemon Institute reported that the financial impact of losing sensitive data continues to rise. The cost per compromised record is now at $214 (up from $204 in 2009). The total price tag for each data breach event now averages around $7.2 million.

The Ponemon survey found 49% of health care organizations do nothing to protect mobile devices.  Here are a few more statistics from the study.


Percent of organizations
Don’t do anything to protect mobile devices 49%
Have policies governing proper use of mobile devices 46%
Anti-virus products installed 25%
Encryption solutions installed 23%
Password or keypad locks 21%
Other 12%

So what should physicians and health care organizations do?  The best way to secure sensitive information is by encrypting it with a persistent security policy.  Encryption offers a safe harbor under the Health Insurance Portability and Accountability Act (HIPAA) for organizations that have lost a device.  If the information is encrypted, there are no data breach reporting obligations, since no PII has actually been released.

By encrypting sensitive documents with a persistent security policy, health care organizations control who can access them, what they can do and for how long.  If you suspect that sensitive documents leaked from your organization, you can immediately revoke access to them. That effectively kills them and makes them useless.

If a sensitive document accidentally gets into the wrong hands, the information in it is worthless. It looks like random characters unless the person reading it has the appropriate access rights. If a document accidentally goes to the wrong email message or onto a cloud-based file sharing service, it could go anywhere.

If a physician loses a mobile device, you can revoke all the sensitive documents and wipe the data immediately so nothing can get into the wrong hands.  All major mobile devices have this feature and should be implemented.

Using mobile devices makes a health care professional’s life easier.  Whether it’s attending to a patient in a hospital room or calling up information during a consultation.  Tablets and smartphones make data access fast and convenient.  Make sure you lock down the information so only the doctor can access it.


Photo credit Peanuts Wiki

Book a meeting