Disjunction in health care data security

A lost or stolen unencrypted laptop storing PHI is a HIPAA violation or it is not subject to HIPAA fines.

A lost or stolen unencrypted laptop storing PHI is a HIPAA violation.

Therefore, it is subject to HIPAA fines.

The above is an example of a disjunctive syllogism: a valid three-step argument with a logical disjunction (the “or” statement). In this case, at least one of two statements is true. A disjunction is false if and only if both statements are false; otherwise it is true.

When considered in the context of health care cyber security, there’s a tendency to think in terms of “either/or” versus “both/and.” The former creates the inclination to pit one thing against another, which can lead to having to make a choice between alternatives to the exclusion of others. The latter works better with strategic organizational issues because it’s “a type of logic used in decision making that allows for a greater variety and scope of outcomes than a rigid either/or decision-making process. This approach is useful when comparing two or more possible tracks or outcomes in a real world setting.” (1)

Cyber security in health care requires “both/and” thinking, as cyber crime occurs with ever-new creativity. Health records are a valued commodity, and advances in health information technology and its interconnectedness have led to advances in the modes of cyber attacks (e.g., ransomware) used to steal patients’ protected health information (PHI). This evolution is expected to continue. (2)

In modern medical practices, digital assets (i.e., information technology and data) are the most valuable assets. Core operations depend on the uninterrupted operation of their electronic data processing that if degraded or damaged, could cost a practice thousands in lost revenue and productivity.

Yet, data security and control of information in health care lag behind other industries. According to the Health Care Industry Cybersecurity Task Force’s June 2017 report, the reasons are inadequate in-house expertise, poorly secured or outdated computer systems, and an overall lack of awareness of the seriousness and complexity of cyber threats today. (3)  And that’s where “both/and” thinking can help, because it can yield better reasoning when making complex decisions. It allows for a diversity of choices when implementing data security best practices, including proactive risk assessments; vulnerability testing; phishing campaigns; workforce security training; and intrusion detection systems; and managed detection and response.  

While it’s true many providers are under-resourced in defending against cyber risks, the need for effective cyber security has to be accepted and built upon. It’s ultimately about intrusion detection and containment of breach incidents, which requires multiple approaches.

Isaac Newton’s first law of mechanical motion is the Law of Inertia: A body at rest tends to stay in rest unless acted upon by an external force. The Law of Inertia also applies to human psychology. When faced with a difficult issue, the easiest “strategy” is to find a reason not to do something about it. We can always find a reason to wait or to push a difficult issue aside.

But the chances of a data breach are especially high in health care given the amount of collection, processing, storage, dissemination, and sharing of PHI occurring between multiple clinically-integrated networks. These risks are compounded by third party vendors and business associates who also have access to PHI, but whose cyber security posture is uncertain.

The U.S. Department of Health and Human Services recently launched a new online “HIPAA Breach Reporting Tool” to provide improved navigation to individuals who want to identify breaches of PHI and for ease-of-use for organizations reporting breach incidents. (4) This tool also shows how all breaches of PHI are investigated and successfully resolved by the Office for Civil Rights.

Going forward, it’s expected that state and federal regulators will continue to provide greater public transparency about data breach incidents and greater emphasis on safeguarding the privacy and security of patients’ health information.

According to Phishing.org, more than 100 billion spam emails are released each day and 85 percent of all organizations have been targets. (5)  If a provider doesn’t act to mitigate its cyber vulnerabilities today, what are they going to do instead? The answer to that question requires “both/and” thinking.


  1. Business Dictionary. What is both/and? Available at http://www.businessdictionary.com/definition/both-and.html. Accessed August 28, 2017
  2. Ponemon Institute. 2017 Cost of Data Breach Study: United States. Available at https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130USEN&. Accessed August 28, 2017.
  3. Public Health Emergency Cyber Security Task Force. Report on improving cyber security in the health care industry. Available at  https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf . Accessed August 28, 2017.
  4. U.S. Department of Health and Human Services. Office of Civil Rights. Breach portal. Available at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf . Accessed August 28, 2017.
  5. Phishing.org. Available at https://www.phishing.org/. Accessed August 28, 2017.

About the Author

John Southrey is the Director of Cyber Consulting Services at TMLT. John can be reached at john-southrey@tmlt.org.

Visit Website More Content by John Southrey
Previous Article
Cyber security: Back to basics
Cyber security: Back to basics

Basic cyber security tips and responsibilities.

Next Article
HIPAA and emergencies

Resources for staying compliant with HIPAA in emergency cituations.