How a stolen laptop can cost healthcare companies $3.9M
Here’s a scenario for you – an employee takes one of your company laptops from the office. They put it in the backseat of their car and drive home. They stop at a store to pick up milk or other necessities on the way back to their house. The car’s back window is broken by a thief who reaches in and takes the laptop.
These things happen, right?
It’s not really the employee’s fault – they were simply traveling with some of the company’s property that they were authorized and allowed to carry with them. The company is out $1000 or however much that laptop cost. It’s an unfortunate situation and one that – for a large enterprise – would really be more of a minor inconvenience and cost more than anything else.
But now, what happens to the information that’s on that laptop? What if that information is medical records? What if there are access credentials stored on the device? What if it’s sensitive company intellectual property? What if it’s the PII of customers? What happens then?
In the case of one medical research organization, the Feinstein Institute for Medical Research, a laptop filled with 13,000 PHI records was stolen out of a car. According to the Department of Health and Human Services (HHS), “The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.”
The resulting disclosure and HHS Office for Civil Rights (OCR) investigation revealed that the company hadn’t been very proactive about ensuring that only the right people could access patient information. According to an HHS release:
…(HHS) discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities. For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.
The HHS then fined the Feinstein Institute for Medical Research a whopping $3.9M for potential HIPAA violations. That’s a huge cost, and much more than the low dollar value of the laptop that was stolen.
I only bring up the Feinstein Institute scenario to illustrate just how important secure access to information is. Although the news about the HHS fine broke in the past week, the stolen laptop incident occurred in 2012, and the company has undoubtedly made many changes and reevaluated their authentication processes and procedures since then. What’s important is that other organizations – especially those in highly regulated industries with strict privacy legislation and rules – learn from incidents like these.
The cost of a stolen laptop is more than just the cost of a piece of hardware – especially if that laptop has unsecured PII and ePHI. The resulting fines from violations of legislation and regulations could be debilitating for organizations – especially the smaller healthcare organizations that may be struggling with the knowledge and funds to implement strong security in the first place.
The key lies in the bold text in that quote above, “…lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users…”
It’s essential that any ePHI and PII is protected and that only those who need access to it can access it. If it’s stored online in clouds or shared network resources, those need to be secured and access to them needs to be closely guarded. Simultaneously, the authentication process to get access to this data can’t be extremely convoluted or difficult. If it is, users will end up finding ways to circumnavigate the process – even downloading or emailing the data to their own physical drives or desktops – to avoid them.
But it’s not enough to simply ensure that only the right people get access. It’s also important to ensure that the right person is really the person they say they are. For example, if this data is stored in a place that’s accessible via a userID and password, is it really secure? What happens if these credentials are compromised? What if the company falls victim to phishing? Key-loggers? Man-in-the-middle attacks? How can the company ensure that the “right person” is really who they say they are?
This is why it’s essential that any security and authentication solution they implement can do more than just enable access to individuals with the proper credentials. They also need to ensure that the person with the credentials isn’t a malicious actor simply pretending to be them. Luckily, today’s next generation of authentication and security solutions can gauge the authenticity of a user and gauge if a person truly is who they say they are.
Let’s take another look at the stolen laptop situation. Let’s say that the laptop had access to a virtual desktop, which – with proper credentials – allowed a user to access all of your organization’s sensitive files and data. With even the minimal authentication security required to access this virtual desktop, there are ways for malicious actors to crack and gain access.
Let’s now say that a stronger and more secure authentication solution was implemented, but was difficult to use. Maybe the laptop’s user begins to move data and information outside of the protected area via email or other methods – this gives access to these critical files easily to anyone with access to the laptop.
But an authentication solution that provides strong security with user convenience corrects all of these issues, and keeps sensitive information out of the wrong hands – even if the laptop falls into them.
In today’s highly-regulated industries – especially the healthcare market – it’s essential that companies don’t play fast and loose with where they store their data, and who can gain access to it. But strong security isn’t enough. To truly keep information safe, they need to protect that information, make it easy to access for those who have the right to access it, and then make sure they know the difference between who has the right to access it, and who doesn’t.