As medical organizations become better and better at protecting sensitive data – due largely to HIPAA regulations that “strongly encourage” the use of medical data security tools like AlertBoot’s managed disk encryption for laptops – we are beginning to see the rise of “tail-end” data breach vectors, like the one Virginia Commonwealth University Health System (VCUHS) revealed recently.
According to VCUHS, the covered entity experienced a data breach when a well-meaning employee donated used CDs to children’s art projects, a far cry from the ever-popular and uncomfortably regular “laptop was stolen from a vehicle” story.
The Long Tail
One of the best-selling books in the 2000s was “The Long Tail,” a look into how niches will become a force to be reckoned with in the new economy. Despite the splash that it made, it’s actually an old theory of sorts that also goes by the names of Pareto Analysis, the Power Law, and the 80/20 Rule, among others.
The gist of it is, a handful of factors account for approximately 80% of “something” and the rest account for 20%. For example, if a company has a customer service center, chances are that an analysis of their logged data will show that less than 5 issues account for 80% of the complaints, whereas the rest of the complaints account for 20%. The smart move is to take care of the 5 issues or so. Once these are taken care of, the numbers are crunched again and it will show which issues account for 80% of the complaints, which are then resolved. Then the process is started again. Of course, for the best selling book, such recursive methods were not part of the formula.
The long and the short of the above observation is that, when it comes to non-internet based data breaches, we can expect to see more and more instances of PHI breaches involving outliers, such as VCUHS’s. The loss, theft, and misplacement of CDs full of medical information can be “predicted,” in the sense that you know it’s going to happen at some point. An empirical number (admittedly based on past incidences, which don’t necessarily guarantee future occurrences) can be assigned; calculations can be made; risk exposure can be minimized.
But the how and why? That’s trickier to account for. The question arises, though, is that important? The answer is “yes” if an organization doesn’t make it a policy to encrypt every single CD. If they selectively protect the CDs, based on the likelihood of them being involved in a data breach, they will fail to account for those unknown unknowns, like VCHUS’s philanthropy gone wrong.
Related Articles and Sites: