A new survey released by Veriphyr shows that over seventy percent of healthcare organizations have experienced at least one data breach over the past 12 months. Darkreading.com notes that insiders accounted for more breaches than cybercriminals, which has always been the case. But, it also turns out that insider attacks were more prevalent than the loss or theft of laptops and other portable storage media. Could this mean the end of disk encryption software like AlertBoot in medical settings?
Employees Peeking on Employees #1 Problem
According to darkreading.com‘s summary of the survey’s results, the most common sources of breaches were:
35% – employees peeking on colleagues’ medical records
27% – employees peeking on acquaintances’ records (friends and family)
25% – loss or theft of physical records [Ed. – paper records?]
20% – loss or theft of equipment that contains patient data
Obviously, there must be other sources of breaches, but these are the top four. You’ll also notice that the above four alone add up to 107%, meaning a significant amount of overlap must exist.
Different Results from HHS Public Data
The above runs counter to everything that I’ve read so far about medical data breaches. In analyses using the medical data breaches from the HHS’s wall of shame (where breaches involving 500 or more PHI data sets are made public), the loss of laptops is the number one reason for PHI data breaches. This is generally followed by the loss of other portable digital media devices.
In fact, the loss of laptops, USB drives, CDs, backup tapes, and other digital media accounts for at least 66% of all data breaches reported to date.
On the other hand, this could be easily explained by the fact that the HHS’s publicized data has a requirement of 500 or more breached entities. I mean, it would be quite the chore to snoop on 500 of your friends and relatives. So, while there might be many independent instances of such breaches, the affected numbers per breach is lower — and hence the disparate results when it comes to Veriphyr vs. HHS data.
Not the End for Hospital Laptop Encryption
If my above reasoning is true, this is not the end for laptop encryption in medical settings. Not by a long shot, for at least two reasons.
First, while employees’ internal breaches might actually be the #1 form of data breach on a case per case basis (we’d need further surveys to establish it as a fact), it’s not #1 when it comes to negative outcome. When it comes to affecting a significant number of people, significant enough to make the news, you can bet that it will involve a portable device of some sort.
Second, in a given population most people are not as concerned of medical employees peeking on other medical employees’ records. Many also don’t care that medical employees are peeking on patients’ medical records: a nurse is a nurse is a nurse, a doctor is a doctor is a doctor. (I won’t argue whether it’s naive to hold such an attitude.)
No, most people’s concerns are for their own records, meaning the effect of losing one laptop holding 500 patients’ protected health information will have a disproportionate effect than that one of one employee looking at 500 other colleagues’ records.
As long as laptops and other storage devices are being used in hospitals, laptop and hard disk encryption will be around as well.
Related Articles and Sites: