Healthcare Breaches from Loss or Theft of Mobile Devices or Media

Health and Human Services Breaches Affecting 500 or More Individuals website shows that there were 97 breaches of this type involving 500 or more patients in 2014, and 46 breaches of this type so far in 2015. These breaches often occur when there are a sequence of failures. An example is show in the graphic below where the first failure is a lack of effective healthcare worker security awareness training.

A mobile device they are using either lacks encryption, or the employee has the password on or near the device, for example on a sticky note on the laptop screen, which shockingly is not uncommon. This is followed by the employee leaving the mobile device vulnerable, whether on the backseat of a car, on a desk unsecured, in a coffee shop, or other location vulnerable to loss or theft of the device. This leads to loss or theft of the mobile device containing sensitive data in the form of electronic health records, and ultimately can lead to breach.

infographic DH.png

The HIPAA Breach Notification Rule requires notification of HHS, patients, and media for HIPAA Covered Entities and Business Associates operating in the US. The vast majority of US states now also enforce state level security breach notification laws which also cover sensitive healthcare information. If the number of records compromised is 500 or more this can lead to a new entry in the HHS “Wall of Shame”. The Ponemon 2015 Cost of a Data Breach Study reports that the average per patient cost of a data breach was $398, the highest across all industries. Based on the number of patient records compromised this can easily result in a total average healthcare organization business impact of $6.5 million, and an abnormal churn rate of 6 percent. Clearly this staggering cost means it is imperative for all healthcare organizations and business associates to take a proactive approach to securing themselves.

This has propelled breaches to a top concern across all healthcare organizations, often even a higher priority than regulatory compliance, which is seen as a minimal requirement but not sufficient to adequately reduce risk of breaches.

The above infographic presents a healthcare breaches maturity model. As such, it is focused on healthcare, and breach risks. A holistic approach is required for effective risk mitigation, including administrative, physical and technical safeguards. This maturity model is focused on technical safeguards for healthcare breaches. Gray blocks are applicable for other types of healthcare breaches, but not so much for breaches resulting from loss or theft of mobile device or media. We will discuss these other types of breaches more in future blogs. Here we focus more on the colored capability blocks of the security model, representing safeguards that help mitigate risk of breach from loss or theft of mobile devices or media.

A baseline level of technical safeguards for basic mitigation of healthcare breaches from loss or theft of mobile devices requires:

  • Endpoint Device Encryption to protect the confidentiality of sensitive data
  • Mobile Device Management, to provide a secure managed container for healthcare apps and sensitive data
  • At least single factor “what you know” / username and password access control which his usually provided at both the OS and enterprise application levels

An enhanced level of technical safeguards for further improved mitigation of risk of this type of healthcare breach requires addition of:

  • Anti-Theft enables the ability to remotely locate, lock or wipe your device in the event of loss or theft
  • Client SSD (Solid State Drive) with Encryption automatically encrypts all files stored on the client device to protect their confidentiality
  • MFA (Multi-Factor Authentication) with Timeout strengthens the authentication or login with the device, and automatically times out and locks the device after some period of inactivity
  • Secure Remote Administration enables system administrators to remotely access the device to diagnose and remediate issues and can be used to keep the device secure and healthy for effective security
  • Policy Based File Encryption can automatically encrypt files on a mobile device based on their type and contents, as well as the policy of the healthcare organization, in order to protect confidentiality
  • Server DB (Database) Backup Encryption encrypts files on the server, including databases and backups. Although loss or theft of servers and backups is more rare than loss / theft of a mobile device, when it does occur it can be much more impactful to the business due to more data and patient records stored on the server

An advanced level of security for further mitigation of risk of this type of breach adds:

  • MFA with Walk-Away Lock which further reduces the possibility of a hijacked session by detecting when the authenticated user has left the device and automatically locking the device
  • Server SSD with Encryption automatically encrypts files stored on the server to protect their confidentiality in the event of loss or theft of the server
  • Digital Forensics enables the healthcare organization to rapidly determine if a lost or stolen device was accessed and if so what specific sensitive data was accessed. This can be important in determining if a breach actually occurred, and if so the specific patients involved. The business impact of the breach is proportional to the number of patient records compromised so this can be an important strategy to avoid or minimize business impact from a breach.

The reality is most healthcare organizations don’t lack ideas for what security they could add. However, budget and resources are always finite. Security is also complex. The maturity model above presents a way to address the top concern of breaches from loss or theft of mobile devices or media in three increments. Using this method an organization may choose to implement the baseline level of security in year one, add enhanced security in year two, and complete the security by adding advanced security in year three.

What questions do you have?