Lost and Stolen Mobile Devices Are Leading Cause of Healthcare Data Breaches
A lost or stolen laptop, tablet, or smartphone can complicate a healthcare data breach, as a recent story from Texas makes clear.
The thief who burglarized the headquarters of Sunglo Health Home Services in Harlingen, Texas, broke into one van, found the keys to another, loaded the second van with tools and equipment, and sped off. Later he returned to Sunglo’s offices, used a fire extinguisher to smash a window, and stole a laptop. That laptop happened to contain the Social Security Numbers and Personal Health Information (PHI) of Sunglo patients. Sunglo’s IT department couldn’t say whether or not the data was encrypted. Police later apprehended the burglar—most of this story was captured on video—but they never recovered the laptop.
This burglary was hardly a major news story, but unfortunately it is the kind of story that is all too common. Lost and stolen mobile devices are a leading cause of healthcare data breaches—and hence, HIPAA compliance woes according to a recent survey by Bitglass.
The survey found that:
- 68 percent of healthcare data breaches were due to the loss or theft of mobile devices or files.
- 48 percent of data lost was on a laptop, desktop computer, or mobile device.
- Only 23 percent of the breaches resulted from hacking not connected directly to the loss or theft of a mobile device.
As these numbers show, healthcare organizations (HCOs) and their business partners need to do a much better job of protecting PHI on mobile devices, if they want to achieve HIPAA compliance and avoid a healthcare data breach. They should ensure that PHI is always encrypted, whether in transit or in storage, and that IT administrators can remotely wipe data on lost or stolen devices. Information security policies and training should be extended to cover use of mobile devices.
Unfortunately, the outlook does not good for mobile device thefts, particularly in cases where thieves suspect the devices contain PHI. According to the World Privacy Forum (quoted by RSA):
“The street cost for stolen medical information is about $50, versus $1 for a stolen Social Security number. The average payout for a medical identity theft is $20,000, compared to $2,000 for a regular identity theft.”
Criminals follow the money, and stolen PHI is worth big money. To protect PHI and avoid healthcare data breaches, HCOs and their partners should act now. They should strengthen their IT security, including their IT security for smartphones, tablets, and laptops.
Secure mobile file sharing solutions, such as the Kiteworks secure file sharing and governance platform, protect patient records, even in the event of a lost or stolen device. With capabilities like a secure mobile container that keeps PHI locked away from other content on the device and remote wipe that allows administrators to remotely delete PHI, medical staff avoid costly healthcare data breaches. When healthcare professionals have a secure mobile file sharing application that provides safe and simple access to patient records, they can find the content they need quickly, review and edit it easily, and share it securely and in compliance with HIPAA.