Saturday, January 28 marks Data Privacy Day, an effort to create awareness surrounding the protection of personal information. Although the Internet has become less and less private, Protected Health Information (PHI) is still worth a LOT. To be specific, a single record is worth up to about $500, according to the Aberdeen Group.
It isn’t uncommon for the Incident Response team to get calls from our healthcare clients concerned about potential security incidents surrounding patient data. A lot of times, these security incidents end with some recommendations that are easy to implement (and probably should already be implemented). Here is a quick story of a simple recommendation that could have saved a client thousands of dollars…
In 2014, GreyCastle Security received a call from a frantic client. A nurse’s car was broken into and their UNENCRYPTED laptop was stolen. Initial triage efforts determined that the laptop probably contained Protected Health Information (PHI), but no one could attest to the types or quantities of records on the computer.
Luckily, the client was able to grab a backup copy of the data, which was parsed to identify unique PHI records using forensic software. Unluckily, there were 506 unique records identified. This is a HUGE problem as the threshold for notifying the Department of Health and Human Services (HHS) is 500 unique records.
All in all, between the identity theft protection, legal costs, and other related costs, the breach totaled around $42,500. Keep in mind this is at the low end of the spectrum with regard to monetary losses, considering IBM reports that the average breach costs ~4M. Here’s the kicker: want to guess how much Full Disk Encryption (FDE), like Symantec Endpoint Encryption costs? About $80 per computer (and there are other solutions that may even be cheaper). Anyone else seeing the ‘smacks forehead’ emoji?
Moral of the Story: Staff may be annoyed by the performance decrease, or at the inconvenience of logging in to their computer twice, but the reality is that a small-lift configuration tweak like FDE can provide a major security enhancement as well as piece of mind by reducing your potential exposure to costly breaches. I mean doesn’t spending $80 sound (and feel) better than $42K?
So please, if you don’t have laptop encryption, get a plan together to start implementation. But most importantly, invest in Data Privacy up front for pennies and get ahead of the game.
Adam Dean is a Security Specialist at GreyCastle Security. Adam is a graduate of the University of Advancing Technology with a Bachelor’s degree in Technology Forensics. Adam has experience identifying, containing, eradicating and recovering from computer security incidents ranging from malware-based infections to malicious insiders.