Breach after breach is occurring within the healthcare vertical, as medical providers, insurers, and medical device companies find themselves fielding evermore sophisticated techniques from criminal entities. Targeted phishing remains consistently lucrative from a target\/execution model.In focusing our information security teams so tightly on the cyber model, though, are we overlooking the information sitting in the file cabinets and archival storage \u2014 the paper, backup tapes, or other data stores \u2014 that are not readily observable by the in-place data loss protection schema?How small and overworked infosec teams must focus on where the biggest bang for their buck will be recovered seems logical. A breach touching the backend of a hospital or locking down all the medical devices would certainly have the potential to be a catastrophe.Can a file folder or two or three \u2014 or hundred or thousand do substantive damage? Perhaps only if you are the patient whose personal identifying information (PII) or protected health information (PHI) are compromised. Though HIPAA enforcement from OCR carries a much more telling bite than has previously been experienced by entities with lackadaisical notions of physical security of paper or archival records. They are still talking about the multi-million-dollar fine levied when a healthcare provider included patient information in a press release.Cases where paper healthcare records were compromisedLet\u2019s move beyond the hypothetical and speak to specifics \u2014 instances where employee lack of attention to detail, willful disregard for established processes, or malevolent acts have caused the medical record of a patient to become compromised.Mercy Love County Hospital and Clinic in Marietta, Oklahoma, saw one of their former employees convicted for the theft of medical records and a laptop from a \u201chospital storage unit.\u201d In their notice to the public, the hospital emphasized that \u201ca small number of patient records\u201d were compromised, 10 in total. Clearly small. But the breach report filed with U.S. Department of Health and Human Services (HHS) noted that information on 13,000 patients was compromised.Regardless of number, the hospital's former employee (a nurse) wasted no time and went on to monetize the information culled from the storage unit,\u00a0court records tell us. The miscreant engaged in financial identity theft, opening up a variety of credit instruments to the tune of $240,000.Then there\u2019s the instance where a medical entity, St. Francis Hospital in Columbus, Georgia, mistakenly sent \u201csome administrative documents\u201d to a landfill instead of to the shredder. It was an administrative error that compromised, according to the hospital, \u201cpersonal and\/or billing information of some patients, including the patient\u2019s name, date of birth, Social Security number, address, diagnosis, account number, final bill date, discharge date, last payment date, insurance balance or account balance.\u201d While the public statement was ambiguous, the filling with HHS by the hospital showed 1,412 individuals were affected.And then there is the January 2018 instance in which a ShopRite pharmacy in Millville, New Jersey, tossed the \u201cdevice used to capture the signatures of customers \u2026 without first wiping the device of all stored phi.\u201d Approximately 10,000 of the pharmacy\u2019s customers were affected in that incident.\u00a0\u00a0The most easly preventable compromisesWhile these are but a few of the recent instance where losses were a bit different than the normal hack and intrusion we read of with regularity, these are the most preventable. They constitute the lowest hanging fruit within the healthcare infosec ecosystem.This year alone 54 healthcare providers have reported the compromise of medical records. The happened via email (sending a patient a file belonging to another is a common recurring error), loss or theft of devices, and, of course, IT incidents. But of those 54, 20 percent of them involve paper.Going forward, let\u2019s make it a point of emphasis to healthcare insiders and help them protect their patient's privacy by protecting both the electronic records, as well as the paper records.