Thankful for…the privacy of my patient data

November 29, 2011 - 0 Comments

If you happened to have your Thanksgiving meal last week with a person of Greek heritage, you may have heard them toast “Yia mas”, that literally means “to our health”. And that is exactly what I am thankful for each day, my family’s health.

I am also thankful for the health of our wireless business, which is going great thanks to professionals such as doctors, and nurses that want to want to use their personal devices (smartphones and tablets) at work.

At Cisco we have long been talking about how we enable this proliferation of devices in the workplace and how we make it easier for IT to onboard and troubleshoot these “un-managed” devices. We also provide a robust wireless infrastructure that enables these professionals by providing the best possible mobile experience. But the trend of personal devices in the workplace does pose a valid concern: “As more and more doctors start using their personal iPads at work, will my patient data be secure?”

Curiosity got the better of me, and I decided to look at some data over the long weekend to better understand how healthcare data breaches occur. This is by no means a scientific analysis, I just crunched some data I downloaded from the U.S. Department of Health and Human Services website (, so the findings are not conclusive, but rather indicative of what is happening. The data represents HIPAA breaches of 500 or more records per incident over the past 2-year period.

Here is what the data says:

  • 80% of the incidents affected up to 10 thousand personal records per incident. The median number of individual records affected per incident was 2,204 whereas the average was 48,348.
  • Theft and Loss are predominately the two ways personal records are affected, which is rather concerning since mobile devices are both easily lost and also easy to steal. See the breakdown of incidents in the following graph:

The good news, based on this data, is that intentionally malicious incidents (as represented by “hacking”) seem to represent a small percentage of incidents and records breached. Also, it is unknown whether the incidents categorized as theft (also malicious), aimed at the information stored in the stolen device, as opposed to the device itself. I would hypothesize for example that a crook breaking into a car to steal an iPad, is more likely interested on the tablet itself, rather than the data that resides on said device. But I guess that depends on the crook’s sophistication.

So my next question was to see what devices stored the data that was breached. The table below summarizes the results in a loose grouping of multiple categories provided in the actual data.

Other portable electronic devices, which by the way includes things such as: external hard drives, USB sticks, and the like, ranked 5th in terms of the % of records affected. But what about their frequency of theft or loss?

Well, it turns out that Other Portable Electronic Devices are the top data storage device that is lost, with 39% of the loss incidents and 6.6 times more likely to be lost than laptops. I guess my assumption here would be that employees would be more aware of a $500 personal device as opposed to a corporate device, and would not lose them as much.

On the other hand, laptops are twice as likely to be stolen (36% of theft incidents) than other portable electronic devices (16% of theft incidents). Again possibly signaling that crooks go after more highly valued items, which could potentially even have more information stored in them?

So is there a conclusion? Well, I would think that as healthcare companies are creating their policies regarding what types of devices/roles they allow on their network, it would not make much sense to exclude personal mobile devices (smartphones and tablets) merely on the assumption that they would pose a greater security risk, as the data above shows. Instead, they should reap the benefits of increased productivity and take all precautionary measures to limit exposure.

What are your main security related concerns regarding allowing personal devices on your network?

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.