Data breaches caused by stolen devices are common and can deliver a huge financial blow to an organization.
Stolen devices such as a laptop or a USB thumb drive rarely come up when most people think of data breaches, but breaches caused by stolen devices are a very real threat organizations face. Verizon’s 2015 Data Breach Investigation Report (DBIR) revealed that this type of data breach is common for healthcare organizations, making up almost half (45%) of healthcare data breaches.
Not only are these data breaches common, but they can deal a huge financial blow to an organization. One example of this is the Cancer Care Group data breach. In mid-2012, a thief stole a laptop that contained personally identifiable information (PII) such as names, addresses, date of birth, social security numbers, and insurance information for 55,000 current and former patients. The breach cost the Cancer Care Group $750,000 in a HIPAA settlement.
Recently, Premier Healthcare suffered a similar data breach when one of their laptops containing 200,000 patients’ PII went missing. Fortunately for Premier Healthcare, the laptop was returned and investigators stated that as far as they could tell the PII in the laptop had not been accessed.
Unlike other aspects of data security, e.g., the challenges of securing IoT devices, mitigating data breaches caused by stolen or lost devices is more attainable, if the proper measures are taken. Below are three steps healthcare organizations can use to get started.
In both of these examples, the laptops containing PII were not encrypted. Although encryption cannot stop a thief from physically stealing a device, encryption can safeguard the sensitive information contained within by making it unreadable to a thief.
Encryption will vary from device to device. Some organizations may choose to encrypt a hard drive, which users can only access using two-factor authentication (two-factor authentication adds another layer of security, usually in addition to a password). Others may choose to encrypt a portion of a drive where sensitive files, etc., are to be stored; again, users would need the proper credentials (and other authentication factors) to decrypt the files stored there. Regardless of the method, encryption can help organizations avoid the cost hundreds to thousands of dollars in fines.
Premier Healthcare learned from their experience, and following the theft they announced that they would begin encrypting all of their laptops.
Create a Device Policy
Healthcare and other organizations should have a comprehensive device and media policy in place. The policy should outline the proper use of devices and how employees should store and secure them. If a policy is already in place, organizations should review it and make sure it is sufficient in deterring theft.
The policy should also address mobile device management, including how the organization keeps track of and monitors devices. Should employees be allowed to take devices home? If so, what safeguards are in place to protect the device and sensitive information? More questions to consider for a strong policy can be found here.
Lastly, establishing a policy is important, but if the employees are not trained to know and understand the policies surrounding security, thefts will continue to occur. Verizon’s DBIR stated that most thefts are opportunistic rather than planned heists. The Cancer Group breach is a perfect example of an opportunistic theft—the thief did not steal the laptop from the employee’s desk, but actually directly from the employee’s car.
Educate employees on how to properly safeguard workstations. The Lahey Hospital breach occurred because an employee failed to lock a treatment room where a thief found a laptop with PII for 599 patients. Simply forgetting to lock a door cost Lahey $850,000.
Encryption and two-factor authentication could have saved these companies from a lot of heartache and added expenditures. Encryption combined with a strong mobile device policy and better educated employee could have prevented the Cancer Care Group breach or the Lahey Hospital breach. These simple steps may not mitigate every data breach that comes along, but they will provide a solid foundation in security for any company to work up from.