News Feature | September 12, 2016

Whitepaper Stresses Breach Cost Of Lost Or Stolen Healthcare Devices

By Megan Williams, contributing writer

90% Use Mobile Devices For Work, 20% Receive Security Training For Them

DDS leader, Absolute releases whitepaper on the cost of healthcare data breach settlements involving lost or stolen devices.

While most of the media attention around data breaches focuses on the external threat of hackers, it is well known within the industry that vulnerability comes in many forms. One threat not receiving as much attention is the lost and theft of devices. A whitepaper from Absolute (via HealthData Management) outlines the costs, regulatory landscape, and how to leverage technology to address issues of lost and stolen healthcare devices.

The Whitepaper

The value and vulnerability of healthcare data continues to increase. While financial data used to be most highly valued by cybercriminals, healthcare, with a single record selling from $20 to $500 on the black market, is becoming an increasingly attractive target.

As the regulatory landscape continues to evolve to keep up with threats, healthcare leaders will find it necessary to focus on incidents caused by lost or stolen endpoints (almost 40 percent of healthcare security incidents are device-related.) This is especially true as HHS lists all HIPAA breaches that impact over 500 individuals (note: HHS has recently turned its focus to smaller breaches that impact fewer than 500 individuals).

Perhaps one of the most interesting and destructive data breach cases in the past few years occurred in Minnesota and involved a Chicago-based revenue management services company. An employee of the organization left a laptop (unencrypted) in a rental car. The laptop contained the information of 23,500 patients, was stolen, and never recovered. The breached data included patient names, dates of birth, SSN, as well as diagnostic and billing information. The settlement involved the Minnesota attorney general and resulted in serious financial damages to multiple parties:

  • settlement: $2.5 million
  • annual business loss: $23 million to $25 million
  • class action settlement: $14 million
  • cost per record $2,000 to $6,000

Similar breaches in Texas and Arkansas have resulted in OCR settlements of $1.7 million and $250,000, respectively.

The Importance Of Prevention

The whitepaper stresses these breaches were very likely preventable if the organizations involved had taken precaution with proper security policies. Had these precautions been in place, the employees could have reported the missing devices and the organizations would have had options including:

  • tracking the devices using geolocation
  • retrieving data from the device
  • remotely deleting the data
  • freezing the device
  • running reports to prove compliance

Had the organizations in question been able to take even a few of these actions, they likely would not have faced the penalties they did.

Downloading and sharing this whitepaper will be particularly useful for MSPs looking to relate the risk that organizations are taking when they put off the establishment of robust security policies. While your clients are aware of regulations and threats, stories can frequently be more useful in selling a client on solutions.