Q: The study found that sloppy mistakes are among the most prevalent causes of data breaches. What are the most common examples?

LP: Basically, it’s hard to say what the sloppiest is, or the worst example, but I think we see billing information, administrative applications like scheduling apps, definitely clinicians that are not paying attention to detail that unfortunately might lose a device like a handheld that contains patient information. Part of the whole ecosystem of healthcare is about collecting information. You have to do it. That’s why you’re in a hospital, right, to recover from an illness or for diagnostic purposes. There’s information that has to be collected about you, but there’s the handling of that between clinicians, administration, billing, and others including third-parties that creates kind of a perfect storm for data loss. There’s also the culture. I’m just going to jump in here – and this might sound pretty negative and damning to clinicians – but culturally we’re dealing with people who measure their efficiency in seconds. There’s pressure on healthcare organizations to be more efficient than they’ve previously been. There’s efficiency in terms of time, the time it takes to get something done. So if it takes a little bit of time to secure your handheld device with a password, that doesn’t get done. That goes back to the culture of healthcare where we push people to work very, very efficiently but they may not have the resources to go a little slower to be more mindful of their privacy and security responsibilities. This might also be true in other industries but based on the research we’ve done over the years healthcare seems to be one of the worst in terms of balancing the need for security with the mission of more efficiency.

Q: So why is healthcare among the worst?

LP: Well, I think there are financial challenges for many healthcare providers, so as a result of that it’s hard to get enough funding to have the right technology and the right people, the right governance processes in place to deal with these regulatory and real requirements, more than just regulatory. So that has a lot to do with it and as I said culturally the main vision in healthcare is to heal people. It’s not about protecting data. Some industries like financial services learned a long time ago that data protection is core to customer trust.

[Q&A: Between the lines of NEJM's EHR report, 'trust trumps tech'.]

That concept does not seem to pervade the healthcare organizations that participated in our study and, interestingly enough, patients, people who are the victims of data loss, if a healthcare provider loses their data, they’re going to lose trust pretty quickly and say ‘Why do I want to go to a hospital that can’t manage my data? How can they manage my illness?’ ‘How can they manage a laboratory test if I can’t trust them to manage my billing order?’ Those kinds of issues are pervasive in healthcare. Other industries experience some of these, it’s not uniquely a healthcare problem – but it does seem that healthcare has more of these challenges than other industries.

RK: Widespread use of mobile devices is one of the culprits. It’s not unique to healthcare but they are causing problems.

Q: Is there a distinction between, say, laptops, smartphones and tablets? Is one more susceptible to being breached than the others?

LP: The word mobile, a laptop computer is a mobile device, definitely, but the devices of great risk in our areas of research will be those like smartphones, maybe tablets. The smaller the device the higher the probability of it being lost. And we know that healthcare organizations on the efficiency side have discovered the great benefits of using a handheld device, for example to capture patient information, to do diagnostics, to receive the consent of a patient. The ability to do that now is just so efficient because of handhelds, and when you couple that with single sign-on technology so that the user can connect to every app without having to enter separate passwords, for the most part that creates a real improvement for people in the working environment but, of course, as more of these small devices are used and collecting data the higher the risk that something real small can contain lots of data and lead to a massive data loss. The other issue, too, is that as easy as it for the device to be lost, especially with all that data residing on the device, there’s also the fact that the device itself is a from of authentication. People forget about that, so if I’m using single sign-on, if I’m not careful I might have my visible credential on the devices. If it’s stolen by the bad guys that could open up access to a system of electronic medical records, thousands or millions of records. So that’s another issue with mobile devices, not just that they’re a form of storage but it’s also an authentication mechanism.