Device loss, not hacking, poses greatest risk to health care data

California DOJ report on data breaches shows most losses in health care revolve around stolen devices, due to weak use of encryption

healthcare cio

If you're dealing with the security of a health care provider, hacking isn't your biggest worry, but rather the loss of devices storing your data. Lack of encryption on those devices (desktop PCs, laptops, and tablets) plus the value of stolen health care data combine to make them into tempting targets.

The October 2014 California Data Breach Report, compiled by the California Department of Justice, analyzed data breaches across multiple industry sectors in California for the year 2013. Of all the industries profiled, two stood out with the greatest share of losses for a given type of breach. One was retail, where 88 percent of the losses came by way of malware or hacking, as opposed to physical thefts, misuse, or human error. (The largest share of losses in government, by the way, were human error -- 48 percent of the sector's total.)

But with health care, more than two-thirds of the losses -- 70 percent -- were attributable to physical theft, which the report defines as "lost or stolen hardware or portable media containing unencrypted data" -- specifically, personal data health care data with black-market value, such as Social Security numbers.

Bitglass, a security vendor that provides data-sanitization solutions, crunched Health and Human Services data to come up with similar figures. In health care, the company found, only 23 percent of data breaches since 2010 were hack-related; the rest were through "loss or theft of employee mobile devices with information on them." 

Other sectors showed different breakdowns in the California report. The hospitality industry, for instance, was the second-largest vertical where malware/hacking was a source of breaches (58 percent of all incidents reported), and human error was attributed to almost half of the breaches in government and a third of the breaches in education.

California 2013 data breaches by industry California Department of Justice

Data breaches in California for 2013, by industry and breach type. Health care's large number of physical breaches has been attributed to the theft or loss of devices that are mainly unencrypted.

But health care came in as the biggest source of physical breaches -- 40 percent -- among all industry types surveyed, with the vast majority coming from stolen hardware or media, which the report defined as "laptop and desktop computers, hard drives, USB drives, data tapes or paper documents." (Smartphones were not specifically mentioned as a target in the California report, although it does use the term "portable devices," which could refer to smartphones or tablets.)

The larger question is why health care providers are such vigorous targets for physical theft. Bitglass CEO Nat Kausik believes the answer lies in how effectively the stolen data can be monetized.

According to other research seen by Kausik, most stolen credit card numbers -- the type of data typically filched in a retail hack -- are worth only "50 cents or a dollar each" on the black market, in big part because credit card numbers can be invalidated and charges made on them can be reversed.

"But health care records are worth something like $50 each," he said in a phone interview, "because you actually get the person's identity. You can't really change a Social Security number, and that has lasting value to the thief."

To that end, as the California report noted, about 50 percent the time during any breach, the theft of a Social Security number was involved, with payment card thefts taking place in about 40 percent of the breaches.

Another complicating factor is the inconsistent mitigation of the loss or theft of Social Security numbers. The California report found that "in 29 percent of breaches of Social Security or driver's license numbers, where a mitigation service such as credit monitoring or a security freeze would have been helpful, the breached entity failed to offer such a service."

In a list of 12 recommendations to all industries, the California report said health care providers in particular "consistently use strong encryption to protect medical information on laptops and on other portable devices and should consider it for desktop computers."

Drive makers have stumped for full-disk encryption being less expensive and difficult to implement, with the costs being negligible and the encryption itself typically invisible to the end user. In an earlier 2013 California breach report (which covered data breaches in 2012), California Attorney General Kamala Harris warned that she "will make it an enforcement priority to investigate breaches involving unencrypted personal information," putting pressure on businesses -- regardless of their sector or vertical -- to encrypt or else.

[An earlier version of this article stated in the first paragraph listed "desktop PCs, laptops, tablets, and smartphones" as devices affected by lack of encryption. This has been amended to remove specific mention of smartphones, with other clarifications to that end included. in the article.]

Copyright © 2014 IDG Communications, Inc.

How to choose a low-code development platform