Risk Assessment and Data Security

bruce schneier

How can it be that so many healthcare professionals worldwide continue to use unsafe communication methods when discussing patient data, despite the increased awareness on this topic?

I watched security expert Bruce Schneier’s Ted talk on “The Security Mirage” which provided some food for thought. 

Feelings, reality and models

According to Bruce Schneier, our sense of security is made up out of our feelings, our reality and models we get from, for example, culture, the media and industries. We assess risk based on these factors and make trade-offs – we either sacrifice money / time / convenience / liberty in exchange for more security or the other way around.

It is interesting that Schneier notes that the feeling of security plays a bigger role in our risk assessment than reality: “We respond to the feeling of security and not the reality”. The two might align, but not necessarily.

For example, the unknown is usually estimated to be riskier than the familiar, and the things that are in our control are deemed less dangerous than those outside our control.

bruce schneier security

Data security

How does this translate to data security? Using communication tools like WhatsApp or unsafe email providers feels secure to many people, because it is familiar – ‘everyone’ uses it, every single day. It is in our control whether we use it or not.

But the reality is that we are not in control when it comes to how these unsafe tools use our data. When this comes up in the media, people are briefly outraged, but as time goes on and the media keep quiet, they make a trade-off: the convenience of continued use often weighs heavier than improved data security.


The truth is that when it comes to professional use of such tools in sectors like healthcare, such a trade-off can simply not be made.

Individual healthcare professionals might choose convenience (and, arguably, their ability to provide care more quickly and efficiently) over security, but it is up to an organization’s management to present its staff with a model based on reason in which the risk to our personal privacy is properly assessed and decisions are made accordingly.

Such risk assessment can then lead to both improved organizational policies and, when communicated properly, increased awareness in individual healthcare professionals, who may then be even less willing to even consider trading off patients’ data security, especially when management presents them with secure, user-friendly alternatives (such as the Alterdesk healthcare messenger).

KPN Zorg Messenger op iPad