Data breaches are often preventable. That's the sad truth. Businesses get sloppy, turn off security settings, or don't practice basic data security. This truth was highlighted recently when data security watchdog site GovInfoSecurity.com profiled some of the top causes of medical data breaches. The results were surprising and useful for IT companies of all shapes and sizes.
Let's take a look at some of the top causes of a data breach, and what this reality means for you and your clients.
3 Cases That Highlight How You Can Prevent Data Breaches
Following a record number of data breaches in January, the Department of Health and Human Services updated its website to show the major data breaches affecting more than 500 patients. Here's what you need to know about the kinds of mistakes that can lead to data breach lawsuits and fines.
- One man's trash is another man's data breach. Almost 300,000 patients were affected by a data breach when thieves stole microfiche from a Dallas-area hospital's trash. Whether you're throwing out old paperwork, thumb drives, or outdated technology, you'll have to find secure ways to dispose of it. Old hard drives and other devices should be destroyed rather than just tossed in the trash.
- Mobile devices are convenient for thieves. Two laptops stolen from a healthcare company's office contained almost 750,000 patient records. Ouch. Physical theft is one of the top three causes of a data breaches and tends to be more costly.
- Unencrypted computers are a breach waiting to happen. When two unencrypted computers were stolen from a Chicago-based medical practice, 4 million records were compromised. More than half of all the data breaches reported by health and human services involved the theft or loss of unencrypted devices. Encryption is often as simple as checking a box in the computer settings. Because it didn’t take that step, the Chicago practice will have to pay to contact millions of their patients and possibly deal with a class-action data breach lawsuit.
(For more information about the fines medical business have to pay and the kinds of liabilities health-industry IT professionals need to worry about, see the post "$1.2 Million HITECH Fine Highlights Risks for IT Contractors Working with Healthcare Clients").
The Takeaway: Avoiding Dumb Mistakes Is the First Step
After looking over these recent medical data breaches, an IT professional can't help but be astonished at how preventable they were. Of course, you can't completely prevent theft. You can't stop a criminal from smashing a window and stealing a laptop. But you can help your clients protect their data before it's stolen.
Here's what IT consultants need to make sure their clients do:
- Encrypt data. Data can be encrypted any time a user isn't logged in to their computer. This means that if someone tries to steal a laptop, they might get the laptop but the data will be useless. Remember that clients need to understand how security functions work. An employee who never logs out of their computer (or tweaks their settings so they are never logged off) exposes their data to more risk.
- Dispose of records properly. Hire paper shredders to dispose of physical records and tech security experts to wipe hard drives or destroy any device that contains sensitive data – once you’re finished with it, of course.
- Take advantage of cloud security and VPNs. With the proliferation of mobile technology, more and more users have access to private data beyond a company's secure firewall. Make sure you account for this risk when designing cloud resources and VPNs for your clients.
- Protect yourself from client mistakes. Clients don't know as much about data security as you do. Unfortunately, if they have a data breach, you can still be sued. E&O Insurance covers your client data breach liabilities, and can pay to defend you from lawsuits about even the dumbest data breaches.
Though the data breaches we looked at happened at medical businesses, the lessons apply to IT professionals with clients in any industry. Simple human errors cause a huge percentage of all data breaches.
As an IT project manager or security consultant, make sure you teach clients the importance of data security. But also make sure you protect yourself with an Errors and Omissions Insurance policy. Make sure you're not on the hook for simple human error.
To learn more about the cost of business insurance, check out these sample insurance estimates for IT contractors and small businesses.
