The IT industry fights to reduce and eliminate its overall risk for security breaches year in and year out. That’s why it’s so disheartening to read about recent breaches in the news. It always comes down to one concerning question: Could that have been me?
The most productive thing we can do is learn from the mistakes of others in the hopes that it will prevent a breach in our organization. Here are two recent minor threats and how they could have been avoided:
North Carolina DHHS Notification
In October of 2015, the North Carolina Department of Health and Human Services (DHHS) had to notify more than 1600 individuals that an employee sent an email with unencrypted personal information. The email included patient and provider information like names and identification numbers.
While the staff member immediately recognized the error and notified the state’s security office, the risk of breach here is obvious: there was no way of knowing whether or not the email was intercepted during transmission, or if the notified individuals have been compromised.
How to Avoid It:
Very appropriately, the DHHS reminded all other staff to encrypt emails that contain confidential information before they send it. The organization is also exploring automatic encryption technology that will avoid this kind of human error. That’s good advice for the rest of us, too: buckle down on staff training and emphasize that all confidential information transmitted by email must be encrypted before being sent. If you have the budget for the technology, consider upgrading to an automatic data encryption tool.
OU Medicine Laptop Theft
Also in October of 2015, the University of Oklahoma (OU) Department of Urology had to notify more than 9,300 individuals that a laptop was stolen from a former physician employee. The laptop contained sensitive, personal information, including names, diagnoses, treatment codes, dates of birth, and medical record numbers.
The laptop was stolen from a physician during the night, and OU was notified about four weeks afterward. The laptop contained a password-protected but not encrypted database spreadsheet of patient information. When OU realized the physician had not notified the individuals affected, it began the notification process itself.
How to Avoid It:
To prevent this kind of problem from happening again, OU is training its employees in safe behaviors and habits that protect the security of computers, hard drives, and devices that contain sensitive data. In a situation where a breach can occur from any device, education about personal safety and alertness is key to preventing theft.
OU has also proactively offered a free year of credit monitoring services to all affected individuals– a great step toward minimizing the bad publicity that goes hand-in-hand with medical data breaches.