SECURITY REALITIES FOR BEHAVIORAL HEALTH | Behavioral Healthcare Executive Skip to content Skip to navigation


September 1, 2006
| Reprints
Jitters about air travel inspire a conversation about behavioral health data security

Days after last month's arrests in the alleged terrorist plot involving liquid explosives, my mother-in-law called my house while packing for the flight for our family vacation. She was about two “oy vays” away from being hysterical. The standard hello and announcement of who is calling (I'd know that voice if I had amnesia) were followed by the routine check that I was properly caring for her grandson. In her voice I heard great concern and worry. A less experienced son-in-law would claim the baby well fed, rested, and dry, but with almost ten months of experience under my belt, I proceeded with the $1 million question.

“What's wrong?” I asked. She answered with the concern and respect of an overworked, underpaid therapist working seven days straight and seeing her twelfth client of the day. She scoffed, “Haven't you seen the news? How am I supposed to fly without my medications, my toothpaste, my makeup, for goodness sake? I need my Listerine! The whole world's a mess. What am I to do?”

Having been trained by dozens of care providers and behavioral health executives, I gently responded, “I understand your concern. Your situation is real. Let's talk through this and discuss some solutions. You will be okay. Let's start with some facts. What exactly must you check with your luggage versus carrying on the plane?”

Some of you may be wondering what this conversation has to do with security and behavioral healthcare. Others may be questioning my sanity for sharing my family vacation with my mother-in-law. Either way, there is a lot in common between preparing for air travel in today's security and threat-focused aviation industry and securing behavioral health data and access in today's ever-increasing technology-infused world.

The Threats Are Real

Some threats are internal, some systemic, and others external. Laptops are stolen. Users select easy-to-crack passwords. Well-intentioned, experienced, caring staff post their user names and passwords on yellow sticky notes next to their computers. Individuals load unapproved software. Even advanced, talented IT staff occasionally go astray. The story of the system administrator that “loaned out server time” to a software program to track extraterrestrial activity is no myth; I've seen real-world deployments (of the program, not ET). Some employees even install unauthorized and often unencrypted wireless networks at remote locations. These are internal threats—very real but also very manageable.

Any resemblance of characters or individuals in the introductory paragraphs to real people are purely coincidental. My mother-in-law is wonderful, and I still have a lot to learn as a son-in-law.

Bad, misdirected people act maliciously. Often motivated by reasons or causes we cannot discern, these people inflict random yet real damage. This is the reality with which we must deal. This is the reality in air travel and when securing your organization's data.

For those who need more convincing, consider the following:

  • Remember that infamous lost—and then found—Department of Veterans Affairs laptop?

  • The American Institute of Certified Public Accountants lost a hard drive containing 330,000 unencrypted Social Security numbers.

  • The CEO of QUALCOMM had his laptop stolen.

  • Fourteen FBI laptops containing classified information were stolen.

  • 600,000 laptop thefts were reported in 2004, costing an estimated $5.4 billion in theft of proprietary information, according to Safeware, The Insurance Agency, Inc., in 2004.

  • Nearly three quarters of stolen laptops do not meet regulatory compliance requirements for data encryption, mainly the stringent HIPAA privacy regulations, according to the Corporate Exposure Survey: Lost & Stolen Laptop Edition, 2005.

  • The theft of a laptop results in an average financial loss of $89,000; only a small percentage of the sum actually relates to the hardware cost, according to the Computer Security Institute (CSI)/FBI Computer Crime & Security Survey, 2002.

  • 40% of companies do not log security incidents (2005 CSI/FBI computer crime survey).

  • 90% of companies suffered a computer security incident in the past year (2005 CSI/FBI computer crime survey).

  • 20% of companies have suffered network or data sabotage (2005 CSI/FBI computer crime survey).

Steps to Minimize Risk

First, acknowledge reality.

Once we accept the situation, we can begin to adjust our behavior to avoid problems and adhere to the proper rules (e.g., don't carry on toothpaste). Discuss the threats with your management team and your entire staff. Review statistics, and decide as a group how you will move forward to change your business practices and minimize the pain (“You mean I have to buy toiletries when we land?”).

A practical, basic checklist for this first step includes:

  1. Have management discuss publicized threats. Review the 2005 CSI/FBI computer crime survey (, details of the VA laptop case, and a local example.

  2. Have an agency-wide discussion. Survey your staff to seek their level of awareness of risks and threats. Administer a short, one-page survey, and leave room for one or two open-ended answers and recommendations. Review the survey's results with management and staff.

  3. Inventory all unauthorized software deployed in your agency. Budget five to ten minutes per computer, and understand the use and need for every software product inventoried.