Main Culprit In Large Patient Information Breaches: Unencrypted Laptops
"As organizations continue to see that laptops are going to be lost or stolen; organizations need to know the three rules of laptops: encrypt, encrypt, and encrypt," says William M. Miaoulis, CISO, CISA, CISM, manager of healthcare security services for Phoenix Health Systems in Dallas. "When data is encrypted organizations can avoid the high cost of the HITECH breach notifications requirements."
Miaoulis advises organizations to even expand controls beyond laptops. Restrict access to and/or encrypt mobile media containing PHI, such as:
- Thumb drives
- Backup tapes
- Home computers
Mac McMillan, CEO of CynergisTek, an IT security consulting firm in Austin, Texas, says it can cost around $150 on average to encrypt one laptop.
"Is that not worth it?" McMillan asks.
McMillan, a 30-year veteran in the security and risk management industry and former director of security for two Department of Defense agencies, says one of the first steps is to conduct a cost benefit analysis and determine what needs to be encrypted.
Davis, of Ministry Health Care, says the answer, "quite simply, is encryption, and there is no excuse not to take this on based on the breaches of more than 500 individuals reported to HHS since September, the majority of them being related to lost or stolen devices."
In a privacy update presentation to one of her organization's large hospitals, Thursday, May 13, Davis suggested these prevention methods:
- Eliminate storage of files on hard drives, CD's, flash drives, etc.
- Encrypt laptops
- Have remote access through approved method (e.g., Citrix, VPN)
- Follow established privacy and security policies
And it doesn't cost much to comply, Boggan says.
"Think you can't afford to do so?" she asks. "Consider the cost of setting up free credit reporting for 9,600-plus individuals for a year, sending out notification to these individuals that their information may have been breached, adding additional staff to field phone calls and inquiries from concerned patients, plus being subject to [HITECH) Tier D fines: willful neglect, not corrected, is up to $1.5 million. I believe one would find it to be more cost efficient to be proactive rather than reactive."
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
- CEO Exchange: Preparing for Population Health
- Advocate, NorthShore Deal Would Create 16-Hospital System
- Interventional Radiology No Longer a Sub-Specialty
- Top Reason for Nurse Turnover: Managers
- CEO Exchange: Pressure is On to Partner, Drive Quality
- Power of price: In South FL and the nation, healthcare costs often are shrouded in secrecy
- Two NY hospitals to offer free hip and knee replacement surgeries for qualifying patients in December
- Hospital mergers may lead to higher prices
- Healthcare data of 1 million NJ patients compromised since 2009
- House OKs Cassidy's 'keep your plan' bill