Maybe it is because I am a computer guy but data breaches make me angry. Most of the time, it doesn’t happen in the way that you think, either. It isn’t some malicious, highly skilled hacker getting into the computer network at my jobwith the intent of stealing all your medical information. I’m not saying they won’t get your information, but it isn’t usually because of a cyber security failure on my end.
It’s usually people just being people.We can’t help it. We do stupid stuff sometimes.
Here aresome examples of what I’m talking about:
There was a guy who worked for the Veteran’s Affairs office. He had a laptop that he used for work and he had patient-sensitive information on it. This was back when the military still exclusively used servicemembers’ social security numbers as patient identifiers, so it was tied to everything from their healthcare info to their financial information for their injury compensation. And even though this particular man wasn’t supposed to, he took the laptop home for whatever reason (I’ll give him the benefit of the doubt and say he did it to catch up on some work). Then his house was robbed. Of course, that meant the laptop got stolen and thousands of veterans, through no fault of their own, had their personal data compromised.
I had my own healthcare data stolen a few years back, and again—it had nothing to do with me. Once again, it was human error and some lapses in judgment. Two guys in charge of driving a bunch of backup tapes to a data storage center broke protocol by leaving their vehicle unattended at a gas station and—surprise surprise—their truck was stolen.
I got five years of free identity theft monitoring for that one, even though I was repeatedly told that the car thieves were incredibly unlikely to also own a machine capable of reading the data tapes. That wasn’t even really the point.
Information doesn’t even need to be physically stolen. It gets accidentally introduced into systems all the time. We can have excellent network security but when some idiot goes on a sketchy website or clicks on a phishing link from the computer at his desk, he risks infecting everyone else’s machine. And while he might not have any client or personal information on his machine, HR does. Other departments might. And while they probably follow strict information handling protocols, they can’t protect themselves from a threat somebody else let into the house.
With the recent election, everybody’s heard all about unsecured private email servers and unsecured cellphones. Again, it’s a matter of human error. It’s just so much easier to have one device to check email instead of lugging around a personal device and another, secure device (or even being—gasp—unavailable sometimes).
All the strong passwords, data encryption, and network security is not going to help you if protocols aren’t followed. I mean, that’s why we have the protocols in the first place. That’s what makes me angry about them—people assume that it is the network guy’s fault. I promise it’s not me!