I recently gave a presentation to an Information Services audience around the topic of Data Loss Prevention. The goal of the presentation was to raise awareness among the audience members with respect to HIPAA and HITECH around Data Loss Prevention and to help introduce the topic.
At the beginning of the presentation I asked the audience the following questions, trying to make the presentation interactive;
- Who in the audience has ever been a victim of credit card fraud?
- Who in the audience has ever been a victim of identity theft?
- Who in the audience has ever been a victim of medical identity theft?
There were a surprising number of hands raised for each question which seemed to shock some of the audience members.
Information Security
- Confidentiality
- Integrity
- Availability
We’re the problem?
- No security solution is ultimately stronger than its weakest link.
– Weakest Link in Information System Security by C.W. Flink 2002
- Humans are considered to be the weakest link in the information security chain.
– Global Information Assurance Certification Paper by Chan D Lieu 2002
Facts and Statistics
- In 2012, there were 447 documented breaches in the United States, exposing 17,317,184 records. In the first half of 2013, there have so far been 255 incidents, exposing 6,207,297 records.
– ITRC Breach Report, Identity Theft Resource Center, May 2013
- The street cost for stolen medical information is $50, versus $1 for a stolen Social Security number.
– RSA Report on Cybercrime and the Healthcare Industry, 2013
- The World Privacy Forum has reported that the street cost for stolen medical information is $50, versus $1 for a stolen Social Security number.
– RSA Report on Cybercrime and the Healthcare Industry, 2013
- 94% of healthcare organizations surveyed experienced at least one data breach in the past two years
– Third Annual Benchmark Study on Patient Privacy & Data Security, Ponemon 2012
- The average cost per record of a healthcare data breach in 2011 was $240, which is 24 percent higher than average. Healthcare data breaches are the fourth highest by industry, behind the financial, pharmaceutical and communications sectors.
– 2011 Cost of a Data Breach: United States, Ponemon Institute and Symantec, March 2012
- Thus far in 2013, 48 percent of reported data breaches in the United States have been in the medical/healthcare industry. In 2012, there were 154 breaches in the medical and healthcare sector, accounting for 34.5 percent of all breaches in 2012, and 2,237,873 total records lost.
– ITRC Breach Report, Identity Theft Resource Center, May 2013
- 1.42 million Americans were victims of medical identity theft in 2010, 1.49 million in 2011, 1.85 million in 2012
– Third Annual Survey on Medical Identity Theft by Ponemon Institute 2012
- The average payout for a medical identity theft is $20,000, compared to $2,000 for a regular identity theft.
– RSA Report on Cybercrime and the Healthcare Industry, 2013
Data Loss Prevention
- Data Loss Prevention includes People, Processes and Technology.It’s not a problem that technology can solve by itself instead it requires governance, policies, procedures, access controls, incident response, endpoint security, and training along with auditing and monitoring.
- Data at Rest – Where is my confidential data stored?
- Data at Motion – Where is my confidential data going?
Why?
- Reduce Risk – prevent breaches, prevent loss of PHI and IP
- Comply with Regulatory Requirements – HIPAA/HiTech
Questions, Comments, Thoughts?
There was a surprising number of questions and comments at the end of the presentations. I had thought people were starting to look glossed over half-way through, perhaps because I had too many statistics and facts but I was trying to make sure they understood the gravity of the problem. Now the real work begins as we try and implement a data loss prevention policy.
Cheers!
Bill says
Great article, Mike. I also commend you for recognizing the need for protection of data, not only at rest, but also in-motion. As you know, I think that tight encryption of data-in-motion is essential, especially in Healthcare.
Michael McNamara says
The need for wire speed encryption is sure to only grow in the future.
Raises interesting questions about the issues surrounding Lavabit and similar businesses which have been forced to shutter their doors because of overreaching court orders.
Thanks for the comment!
Charl Le Roux says
Hi Michael,
Are you willing to share your Information Security Powerpoint Presentation? I’m in the process of researching and compiling info specifically on Data Loss Prevention.
Michael McNamara says
Sorry Charl, don’t believe I have a copy… that’s a very old post.
Cheers!