I feel like I’ve spent a lot of time this year talking about insider threats and the security risks posed by employees and third-party vendors and consultants.
Now, a recent study by Bitglass shows just how much damage the insider threat can cause. In its 2014 Healthcare Breach Report, Bitglass discovered that 68 percent of the data breaches in the health care industry since 2010 were caused by lost or stolen devices. The survey results nearly mirror a study conducted by the California Attorney General’s Office, which found that 70 percent of compromised health records were the result of a lost or stolen device.
This is not to say that cybercriminals aren’t doing any damage. Almost a quarter of breaches in the health care industry are caused by hackers infiltrating the network.
The health care industry is the most susceptible to data breaches. The Identity Theft Resource Center reported this year that more than 43 percent of all data breaches occur within the health care industry. How much safer would the industry’s information be if employees did a better job securing their devices?
Both the Bitglass and California Attorney General’s Office reports also show why insider threats are increasingly becoming the IT and security professional’s worst nightmare. While they can control the security of the network’s perimeter, they can’t control what employees are going to do, especially now in the age of BYOD. According to HIT Consultant, Bitglass offered a couple of suggestions on how to better approach the security of the potentially lost or stolen mobile devices:
1. Secure Data, not Devices or Networks
By securing sensitive data as it flows down to end-user devices, health care organizations ensure that even if the device is lost or stolen, sensitive data is not compromised. Technologies such as on-the-fly encryption, redaction, DLP and DRM on sensitive data must be dynamically and automatically applied by policy.
2. Make Data Security a User-Friendly Experience
Mobility enables health care workers to spend more time on their patients. Any solution that hinders productivity is bound to attract workarounds that defeat security policies. In the same vein, security solutions should be easy to deploy and maintenance should not be burdensome, as it does is not easily scale and can become costly.
I’m going to add a third one: Provide better education about mobile device security. Too many employees aren’t practicing even the most simple security efforts, like password protecting devices or adding remote wipe software. Unless employees are trained to practice good security – and truly understand why – they won’t do it.
On the IT department end, the less data that has to be downloaded onto a mobile device, the better. In addition to the above recommendations, utilizing cloud computing could help lessen the loss of data if the device is stolen or lost.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba