A clinic in Oregon has announced a data breach due to the theft of a laptop computer. Obviously, the use of a cryptographic solution like AlertBoot’s managed disk encryption would have prevented the data breach, as well as providing safe harbor from HIPAA/HITECH’s Breach Notification Rule.
However, the story is complicated by the fact that the laptop belonged to an employee and not the clinic. What to do in situations like these?
Stolen from a Car at a Conference
According to the breach announcement, the laptop computer was stolen from a locked car in Portland. The laptop was secured with a password, but as previously stated, it was not protected with encryption software. It’s also been noted that any personal information was relegated to a spreadsheet that contained patient name, date of birth, name of treating health care provider, and reason for visit. Sensitive information like Social Security numbers were not present.
The employee at the center of this data breach had the wits to contact the clinic within 24 hours of the incident. Disappointingly, he didn’t employ the same to ensure that, were something untoward happen, the data would be kept safe.
It’s 2014. Everybody has heard about ID theft and fraud. I don’t think I’m wrong in believing that everyone personally knows someone who has been affected by ID theft and fraud. So it’s kind of hard to believe why people – especially those who are at a position to attend conferences; it’s not as if one generally sends newbies to such things – act as if nothing could possibly happen to them.
(On the other hand, it’s not unbelievable either. I still meet people who refuse to wear seatbelts while driving. They’re rare but they’re out there).
What Could the Clinic Have Done?
Nothing, really. The clinic doesn’t have any authority over the employee’s laptop. It would have been nice if he (or she) had encrypted it for personal reasons (as I do myself – I have nothing to hide, but if my computer gets stolen, I really don’t want some guy sending prank emails to my contacts…or doing something worse), but he can’t be compelled to do that.
True, the clinic could have done a better job of monitoring data downloads and transfers, but there’s a limit to that as well: at some point, the returns on “better security” diminish and begin to look like “more security” which is not a bad thing – but isn’t necessarily a good thing either. At the end of the day, you’ll need people to do their part in ensuring that the work place is secure from data breaches.
This is where the importance of employee education comes into play. It cannot take care of all potential risks; the same goes for technical approaches. But when all the different ways to prevent a data breach come together, the sum ends up being greater than their individual parts.
Related Articles and Sites: