The Case of the Missing Laptop
According to Redspin, a Healthcare IT Security Firm, the most common cause of private health information (PHI) data breaches is the loss or theft of a laptop or other mobile computing device (35% vs. 22.1% by ‘unauthorized access’).
The Redspin report released in February of 2014 voices concerns that one of the biggest culprits of future breaches will be employee negligence:
The proliferation of mobile devices – whether employee issued or personally owned (BYOD: bring
your own device) – will exacerbate this problem. We expect employee negligence alone to
continue to drive the PHI breach statistics even higher over the near term. (p. 5)
In our office, so far, and through a verbal survey of a couple of our insurance providers, we’ve found this fact to bear out. Hacking happens. Firewalls are breached. But more often…
…phones are left at restaurant tables. Laptops are left on backseats of cars, in plain view. Tablet computers get shoved into backpacks which get left at a friend’s apartment. The backpack then mysteriously disappears.
Proper Education and Encryption
In light of these facts, it’s important that all nonprofits (especially mental health and other healthcare nonprofits) educate their employees about properly caring for their devices. Managers should wear down their employees with reminders about being careful with mobile electronics that carry data. Managers should be almost annoying about it, like a parent reminding a child to say ‘thank you’ 13 times a day.
Further (and admittedly, I’m out of my depth here as far as specific recommendations), organizations should research and implement encryption protocols.
What Are You Doing?
What are you doing to protect your nonprofit’s data?
Employee records, donor records, and client records are all at stake.
While insurance is an option for these exposures, it’s vitally important to start implementing preventative risk management.
I’d love to hear your thoughts in the comments; What is your nonprofit doing to prevent or mitigate a data breach incident?
Go check out Redspin’s white paper: BREACH REPORT 2013: Protected Health Information (PHI)