- Q&A: How a health 'data spill' could be more damaging than what BP did to the Gulf
- Commentary: Why healthcare must operationalize data breach response
- Q&A: Health orgs don't protect patient data for reasons going 'back to the industrial revolution'
- 7 health data privacy and security trends to track in 2012
- Year in review: Top 10 trends in healthcare data privacy and security
- 3 simple things consumers can do to curtail medical ID theft
- Study finds increasing mHealth demand
- Are providers ripe for a massive medical records heist?
This year, we witnessed several trends that have major implications when it comes to the security of our most precious resource – our documents. And document leaks are on the rise. The Ponemon Institute recently released a study showing a 32 percent increase in data breaches in the healthcare field. Also, 96 percent of healthcare organizations indicated they had suffered from a data breach in the last two years. The combined cost of such data breaches is estimated to be $6.5 billion annually.
So what are the trends that are causing this increase? This article will review the major trends changing the world and the way people consume information, as well as the effect these trends have on document security.
1. The proliferation of mobile devices
The growth in use of mobile devices such as smartphones and tablets, led by the recent addition of the iPad, present a major risk. A billion tablets are forecasted to be sold by the end of 2015. According to the Ponemon Institute, 81 percent of healthcare organizations store sensitive information on mobile devices. These devices may be managed by the organization or they may be personal devices brought in by employees. According to the survey, 49 percent of respondents say their companies take no steps to secure this data. Even if they do, these steps are usually incomplete.
Mobile devices are obviously most susceptible to being lost or stolen. Gartner has estimated that 10 million mobile devices containing enterprise information will be lost next year. PCs can be stolen, as well. In fact, in October 2011, a PC stolen from Sutter Health left more than 4 million patients’ records exposed.
Additionally, mobile devices (and typically also PCs) do not have the means to protect against insiders forwarding sensitive documents or moving them to USB drives or DVDs. Employees who leave the company can choose to take such data with them and may use it with a different employer.
If your company employs a mobile device management (MDM) solution, you might think your documents are protected from such leaks, but most MDM solutions offer limited or no functionality when it comes to protecting documents residing on mobile devices. Such solutions may be able to remotely wipe a device, but require the device to be managed by the enterprise in order to do so. Additionally, these solutions do not encrypt documents to prevent their removal from devices.
2. Increased sharing and collaboration
Individuals and businesses share documents across organizational boundaries more than ever before. And it is increasingly easy to do so with massively growing online services such as Dropbox. But with this ease of use comes risk. The security precautions that are available inside the organization break down as soon as a document has left the organization. With regulations such as HIPAA, the consequences can be severe.
While intentional sabotage by insiders is a data leak vector that needs to be taken seriously, the most common cause of data loss is human error, both by employees and third-parties. This accounts for 41 percent of breaches, according to the Ponemon Institute survey. In October 2011, officials at Stanford Hospital confirmed that for almost a year, private medical data for nearly 20,000 patients was exposed because a billing contractor’s marketing agent posted the electronic spreadsheet erroneously.
3. Advanced Persistent Threat (APT)
Advanced Persistent Threat, or APT, has been talked about greatly in the past year. APT is a term used to describe sophisticated, long-term hacking attacks aimed at governments and companies with the aim of gaining financial profit, intellectual property or destroying sensitive infrastructure. The recent Stuxnet computer worm, purported to sabotage the Iranian nuclear program, could be considered to be the product of an APT. The notable hack into RSA is said to have enabled further breaches of 20 of the Fortune 100 companies, including Abbott Labs, Kaiser and many others.
APTs are hard to detect, and since they are deliberate, they are likely to inflict major damage. The last year seems to mark a turning point during which hacking attempts evolved from hobbies to APTs.
So what can be done?
There is no one simple solution to all these emerging issues. Education and training is always an important part of the solution. Below are a few tips:
1. Educate users to lock their mobile devices and PCs with PIN codes and passwords. Encourage the use of strong passwords. The most secure online passwords include a random combination of upper and lowercase letters, numbers and special characters that are at least eight characters long. Educate employees to detect social engineering and phishing scams, so they do not get tricked into giving away these passwords to malicious parties.
2. Deploy technology that protects and controls your company’s information that resides on mobile devices, preventing it from being leaked. Also, allow your organization to destroy documents and information remotely if and when needed.
3. Deploy technology to protect documents being shared with third-parties. Keep in mind sharing documents outside of the organization means that internal security measures no longer apply.
4. Make sure your employees’ antivirus software is up-to-date and their systems are patched. Antivirus providers frequently update their software to keep up with new threats, so be sure your software is automatically being updated with these changes as they are made. If you hear about a dangerous new threat, check with your provider for emergency updates.
Moti Rafalin is CEO of WatchDox, a provider of document control, tracking and protection solutions that enable the confidential sharing of important or sensitive documents in an easy and secure way.