Recent Equipment Thefts Bring Data Encryption Issue to the Forefront
Cybersecurity is a hot topic at board meetings; the healthcare industry is under attack and cybersecurity defenses must be improved. While boards may be preoccupied with the threat from hackers – it is often perceived to be the biggest cause of HIPAA breaches – it is important not to forget about lower-tech attacks. Hackers are breaking through healthcare providers defenses to obtain PHI, but there are easier ways for thieves to obtain data: A fact that has certainly not been overlooked by the criminal fraternity.
Theft of equipment containing Protected Health Information is also a major cause of HIPAA breaches, in spite of affordable technology existing to prevent data disclosure.
Healthcare Providers Must Tackle Device Loss and Theft
The spate of recent thefts reported by healthcare providers and health plans shows that while cybercriminal activity is on the rise, theft of devices containing unencrypted PHI is keeping pace. The risk of HIPAA breaches from the theft and loss of equipment simply cannot be ignored. It is an ever-present threat.
Current figures may suggest that loss/theft is the major cause of breaches, and alarmingly 40% of healthcare providers do not appear to be using a data encryption service on their portable devices.
May/June Data Breaches Resulting from Theft
|Covered Entity||Nº Records|
|Oregon’s Health CO-OP||14000|
|Fred Finch Youth Center||6871|
|St. Martin Parish School Based Health Centers||3000|
|Rite Aid Corporation||2345|
|Sharon J. Jones, M.D.||1342|
|Gallant Risk & Insurance Services, Inc.||995|
|Success 4 Kids & Families, Inc.||506|
Don’t Forget the HIPAA Physical Safeguards
Physical controls cover basic security measures to prevent opportunistic theft of records and equipment used to store ePHI. The physical safeguards are detailed in our HIPAA compliance guide in more detail and can be found on the HHS website (here). Some are obvious like keeping record-facilities locked, but it surprising how often simple security measures are ignored or forgotten.
Holders of paper files should keep them in locked filing cabinets and/or in a locked storage room. They should never be on display. Recently the DHHS’ Office of the Inspector General discovered the U.S Coastguard failed to apply most fundamental of security measures.
Security guards may be required if the risk of burglary and data theft is particularly high. The employment of a security guard at the office of Sharon J Jones, M.D, after a double burglary, resulted in the thwarting of a third break-in.
Often simple protections can be overlooked and vulnerabilities missed, and the recent spate of theft reports suggest that basic security measures are lacking at many covered entities’ facilities.
With the OCR HIPAA compliance audit process now having begun, it is a good time to go back to basics and conduct a full risk analysis and to ensure that all potential vulnerabilities are identified.
It is far better to identify vulnerabilities – and take action to correct them – than to have them uncovered by an OCR auditor when the compliance audits recommence.