Recent Cases of Portable Device Theft Highlight Need for Healthcare Data Encryption
Healthcare professionals can be given training on the importance of keeping electronic equipment secure; however, even the most security minded healthcare professional can make an error of judgement that results in PHI being exposed, such as leaving a laptop computer in a vehicle while patients are attended to.
Theft of medical devices containing Protected Health Information (PHI) had declined in recent months; but the HHS’ Office for Civil Rights breach portal now displays a high number of HIPAA violation cases of portable device theft, highlighting the importance of using data encryption software to safeguard PHI.
While portable devices carry the highest risk of data exposure, a number of recent burglaries of physicians’ offices show that even data stored on less portable computer hardware, such as desktop computers and servers, is not secure without robust security measures such as encryption.
Stolen Portable Electronic Devices Cited in Numerous Recent Breach Reports
In June, a physician from the University of Oklahoma’s Department of Obstetrics and Gynecology had a laptop computer stolen from a vehicle exposing 7,693 patient records.
The Baylor College of Medicine reported the theft of a portable device containing 1,004 patient records in July, and 560 records were potentially compromised when two computers belonging to the Treat Insurance Agency – operating under the insurer Arkansas Blue Cross and Blue Shield – were stolen from the company’s offices.
Oftentimes, large volumes of data are stored on portable devices such as laptop computers. In July, North East Medical Services reported the theft of a laptop computer from the trunk of a physician’s car, which resulted in 69,246 patient records potentially being exposed.
Theft of equipment is not only a problem suffered by large healthcare providers. In the past few weeks, two physicians have reported the theft of equipment containing PHI. Max M Bayard reported the theft of a device containing 2,000 patient records, while Orlantino Dycco announced a data breach following the theft of an unencrypted laptop; potentially exposing 9,000 patient records.
Theft is a major issue, but so is the loss of portable storage devices such as flash drives. These small storage devices are easily misplaced. In the case of the McLean Hospital Corporation, the loss of 4 backup tapes resulted in the records of 12,673 research participants being potentially exposed, while lost flash drives exposed 1,006 patient records at Ohio Health in July, and approximately 50,000 records at Lancaster County EMS in June.
Healthcare Providers Also need to be Vigilant for Employee Data Theft
Healthcare providers are being attacked from all angles. Cybercriminals are attempting to break through security defenses to gain access to EHRs and servers, and thieves are targeting healthcare providers, not for the value of electronic equipment, but the value of the data stored on them.
The potential gains for selling or using patient health data are considerable, and a number of unscrupulous healthcare workers have realized this and abused their data access rights to view and copy highly sensitive patient data.
Montefiore Medical Center discovered in July just how serious the insider threat is. A former employee was discovered to have illegally accessed and copied the medical records of 12,517 individuals, while many other healthcare providers have suffered data breaches due to employees snooping on patient records.
Data Encryption is the Best Protection
Even with the best security policies in place, sooner or later a device containing Protected Health information of patients or health plan members will be lost or stolen, potentially exposing data to criminals and exposing the healthcare provider to hefty data breach fines.
Data encryption will not prevent all data breaches from occurring; however, it does add an extra level of security which can prevent the loss or theft of a portable device from requiring a breach response. If an encrypted laptop or storage device is lost or stolen and the data contained on that device is encrypted, the thieves are unlikely to be able to view that data.
OCR Head Speaks out on Data Encryption
The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA rules. The agency has recently taken action against healthcare providers who have failed to protect data to the standards required by HIPAA.
In a recent announcement of its latest settlement – $750,000 for numerous potential HIPAA violations by Cancer Care Group – OCR Director, Jocelyn Samuels pointed out the importance of a risk assessment and of encrypting data, even though HIPAA regulations fall short of demanding the latter.
“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information,” Samuels went on to say, “Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”