The latest report states 77 computers, laptops, mobiles, were lost or stolen from HSE in the last 5 years. Ok, 5 years, means approximately since 2010/11. But they couldn’t exactly account for all of them before that either. A headline from 2008 says 55 HSE laptops go missing, then three more in 2009 and a non-encrypted one of them held personal financial data. And the same year there were the 15 stolen Roscommon laptops.
So what’s going on with HSE that there seems to be an average of over 10 devices lost or stolen every year? Health-related data can be very sensitive and is a sought-after commodity on the cybercrime black market, so one would imagine a company that deals with such data would take steps to make sure such things do not occur. Sure, HSE has more than 67,000 direct employees, and a further 35,000 employed by agencies funded by the HSE, so that means there are many computers and devices used daily. And they do claim “most” of them are encrypted. But what about those that go missing that are not?
Medical records can fetch $50 to $500 on the black market, and the ways of abusing such data and the ways victims of abuse can be affected are countless. Targetted hacking attacks at medical institutions are a regular occurence and can result in lawsuits worth millions. Emory Healthcare was sued for $200 million after losing 300,000 patient’s data and Health Net had to settle, after losing over 400,000.
In every organisation there is always the imminent chance of human error, negligence or malicious intent. But particularly when sensitive personal data is handled, strict rules of use, monitoring of data transfers, data leak prevention and full encryption should be the top priority and companies and organisations failing to address the issue, are needlesly taking a huge risk.
by Urban Schrott, ESET Ireland