HIPAA Data Breach: You’re Still More Likely To Lose Data Than Get Hacked.

The site hitconsultant.net relays that HIPAA covered entities are still more likely to experience a data breach by losing data than by being hacked online – which is why a managed HIPAA encryption solution like AlertBoot is very important in a medical environment.  The site’s conclusions are supported not only by an analysis of the HHS’s “Wall of Shame,” where data breaches involving more than 500 people’s personal information are listed, but by a report released from the California Attorney General’s Office.

Some Stats

Based on the analysis, the Wall of Shame shows that 68% of all HIPAA data breaches since 2010 are due to the theft or loss of a device (be it a laptop, external hard drive, USB thumbdrive, backup tapes, etc).  Data from the AG’s office shows similar figures despite the time period being shorter (70% of data breaches attributed to missing devices since 2012).  So, despite the recent prominence of online hacks being reported in the media, it appears that more attention should be given to what’s happening at the local, un-virtual level.

If there’s criticism to be levied above, it’s that the “number of data breaches” does not necessarily mean that the “most people were affected” by it.  But that’s covered as well.  The article notes that,

4% of breaches accounted for 80% of total records compromised. Of these 100k record and above mega-breaches, an above-average 78% of compromised records were the result of loss or theft.

A couple of things are notable about the above.  The 80/20 rule (aka, Pareto law or Power law, although specifics can differ when you get to the nitty-gritty) is broken, possibly pointing towards something quite unusual going on here.  For example, maybe it means that because online hacks generally involve millions of data points, these tend to bias the overall figures.  In turn, this could mean that online hacks should not be bunched together with other types of data breaches, possibly because online data breaches involve figures in the hundreds of thousands, at least, whereas everything else tends to include much lower numbers (e.g., 500, in the case of HIPAA).

What I find more surprising is that the loss and theft of devices account for well nearly 80% of breaches involving 100,000 records or more.  Why would anyone be carrying such large amounts of data on a computer that is not protected with encryption software?   Many would say that the risk is not there, or that they cannot justify it financially.

A Simple Risk Analysis

From a simple risk analysis point of view, assuming that each person’s data point is worth a measly 10 cents, the loss of a database with 100,000 personal records would be like losing $10,000.

Of course, the 10-cent figure is from the perspective of the attacker (since that’s how much it fetches in online black markets; the world is saturated in such data).  To the defender, the covered entity that has to deal with cleaning up a data breach, the per capita cost is actually in the hundreds of dollars.  That means an unencrypted computer is a silicon satchel potentially worth $10,000,000 or more if something untoward were to occur: disruption to its business operations; costs involving the notification of clients; setting up call centers for answering any follow up questions; hiring forensic experts; dealing with regulators; loss of brand reputation and goodwill; defending against lawsuits; etc.  There are a lot of intangible costs, as you can see.

A Little More Complicated Risk Analysis

Of course, the individual probability of a computer being lost or stolen is relatively low.  But the point is that it just takes one laptop loss or theft to trigger a data breach.  So, it’s not about the individual risk as it is about the company’s risk.

If the individual odds of something happening to a laptop in a given year is 1%, and you have 100 people in a company who have laptops with sensitive data, then the odds of a data breach in any give year is:

1 – (the odds of no one losing their laptops)

In order to trigger a data breach in a give year, you could have two laptop losses in a year, or three losses, or four losses, etc. all the way up to a theoretical 100 losses.  The only way you can avoid a data breach is if none of the 100 employees have their laptops nicked.

So, the calculation becomes easier if the “1% probability of losing a laptop” becomes a “99% probability of not losing a laptop.”  Since the loss of laptops can be thought of as independent events:

1 – (.99)^100 = your odds of having a data breach in a give year = 0.634 (or 63%)

Now, it could be that the initial assumption of 1% is too high.  But even if the initial assumption is 0.1%, the resulting probability is 9%, still pretty high (you’ll see what I mean in the next calculation).  Make it 0.01% and it finally sinks to 1%.

Now, a 1% probability of a data breach in a given year across 100 employees doesn’t sound too bad (again, assuming the probability of losing any individual laptop is 0.01% or 1 in 10,000) but you have to incorporate the cost of data breach.  In my earlier calculation, I had given that amount as $10 million.

$10,000,000 x 1% = $100,000

So, a company would still be facing the possibility of losing $100,000 any given year because of a data breach.  It’s definitely cheaper to encrypt 100 laptops, especially when you consider that the actual losses, when it hits, will not be the statistical $100,000 but a very large $10,000,000 – enough to sink most commercial concerns.

Related Articles and Sites:

Comments (0)

Let us know what you think