According to Verizon’s 2014 Data Breach Investigations report survey of over 63,000 security incidents, the highest proportion of thefts occurred in the victims’ work area.
Incidents of lost and stolen assets are amount the most common causes of data loss or exposure, as reported by data breach incidents analyzed in Verizon’s 2014 Data Breach Investigations Report. This recent study collected data on over 63,000 confirmed security incidents, compiled from 50 contributing organizations across 93 countries. While the incidents are not limited to the healthcare industry, we are comfortable generalizing the findings as the incident patterns identified point to common practices by employees and criminals that most standard risk remediation practices can address.
Here are the key findings on data loss or exposure, as a result of lost or stolen assets:
- Every type and size of organization reported incidents of theft and/or loss.
- The most common asset reported with this pattern is laptop computers, followed by computers, documents and flash drives.
- Loss occurs more frequently than theft. This suggests that the vast majority of incidents in this pattern were not due to malicious or intentional actions. (Or does it suggest that employees will report items as “lost” when they have, in reality, been stolen as a result of employee carelessness?)
- The highest proportion of thefts occur in the victim’s work area, meaning his or her office or desk area. One might assume public places like coffee shops, public transportation or restaurants would see higher rates of theft, but apparently even those on the inside are not always trustworthy.
- Thefts in internal high security areas rank higher than those occurring in public places. Again, event those allowed in high security areas can be “up to no good.”
- Personal residences and personal/partner/public cars serve as the venue for nearly 40% of thefts.
Verizon’s key recommendations can help employers and employees in healthcare organizations prevent data breaches, as the required reporting standards in this industry make data breaches more costly, time-consuming and potentially reputation-damaging (in addition to being in violation of HIPAA regulations):
- Encryption is key. This is something Eagle has been preaching for a while and a point the HHS makes frequently when addressing organizations the privacy and security of ePHI. Verizon also mentions the importance of periodic tests of your organization’s encryption practices, as this can be a key point in determining whether or not a breach has occurred.
- Employers need to encourage employees to keep sensitive devices in their possession (meaning not out of sight) at all times, both when “on the go” with the devices and when a mobile or other device is used or stored in an employee’s workstation.
- Regular (preferably automatic) backups help save time, help you recover from loss faster and assists in determining what data was on the device to determine if disclosure is necessary.
- Keep highly sensitive or valuable assets in a separate, secure area as thefts here are less likely to occur. Monitor who has access to these locations and research suspicious or excessive use of this access.
The annual release of the Verizon Data Breach Investigations report is extremely useful for the risk analysis process. Eagle’s standard computer security risk analysis practice includes a thorough review of your organization’s current security practices and provides estimates of risk based on real-world data including the findings of this important industry study. Further, our corrective action recommendations in these risk analysis studies will usually include the best practices cited above along with other relevant industry-standard practices. You can learn more about Eagle’s risk analysis for hospitals or medical practices here.
