Main Culprit In Large Patient Information Breaches: Unencrypted Laptops

Perhaps it's time to make laptops look unappealing to thieves to prevent them from being stolen.

"A tongue-in-cheek solution—ugly, cumbersome, low-appeal devices," says Nancy Davis, director of privacy and security officer for Ministry Health Care in Sturgeon Bay, WI. "We had a suggestion . . . to paint them all mustard yellow."

Naturally, Davis and fellow HIPAA privacy and security officers and consultants have more serious ideas about securing laptops. And most agree—encryption is the safest way to ensure your patients' protected health information (PHI) is secured before it flies out the door.

In its interim final rule on breach notification, the Office for Civil Rights (OCR), the enforcer of HIPAA's privacy and security rules, lists several methods of encryption that create a "safe harbor" in case of a breach of PHI.

But laptops remain a large source of patient information breaches.

Of the 79 entities that reported breaches of unsecured PHI affecting 500 or more individuals on the OCR website as of Friday, May 14, 20 involved a laptop (25%).

A thief stole a laptop in March that contained information about 9,600 patients from a New Mexico Medicaid program subcontractor, according to a New Mexico Human Services Department press release Tuesday, May 11.

And a Republican congressman Wednesday, May 12 sent a letter to the secretary of the Department of Veterans Affairs (VA) with concerns over two stolen unencrypted laptops in Texas over a two-week span this spring. One of the laptops contained personal identifying information of 644 veterans, according to the letter's author, Congressman Steve Buyer (R-IN).

"Providers must start taking the regulations seriously and must take the steps necessary to protect patient information, especially on these most vulnerable portable devices," says Dena Boggan, CPC, CMC, CCP, HIPAA privacy and security officer at St. Dominic Jackson Memorial Hospital in Jackson, MS. "From the portable devices security guidelines released by CMS in December 2006 to the notification of breach guidelines detailed in HITECH, the message is clear—complete your risk analysis, determine your vulnerabilities, and take the steps to correct any inefficiencies in your security policies and procedures or you may be subject to penalties for failure to do so."

In New Mexico April 9, West Monroe Partners reported an unencrypted laptop stolen from the trunk of a car in Chicago March 20. The laptop contained patient information in the New Mexico Medicaid program including:

• Names
• Health plans
• Identification numbers
• Social Security numbers
• Provider identification numbers

The state Medicaid program sent notification letters to its members and set up a toll-free telephone line through DentaQuest to take questions. The letter explains how members can place a fraud alert on their accounts. That information is also available on the New Mexico Medicaid website.

The New Mexico breach illustrates two essential points: know to whom you are contracting your work, and have a breach notification policy in place so everyone knows their role, says Brandon Ho, CIPP, the HIPAA compliance specialist for the Pacific Regional Medical Command based at Tripler Army Medical Center in Honolulu, HI.

"As organizations continue to see that laptops are going to be lost or stolen; organizations need to know the three rules of laptops: encrypt, encrypt, and encrypt," says William M. Miaoulis, CISO, CISA, CISM, manager of healthcare security services for Phoenix Health Systems in Dallas. "When data is encrypted organizations can avoid the high cost of the HITECH breach notifications requirements."

Miaoulis advises organizations to even expand controls beyond laptops. Restrict access to and/or encrypt mobile media containing PHI, such as:

• Thumb drives
• SmartPhones
• BlackBerries
• iPhones
• Backup tapes
• Home computers

Mac McMillan, CEO of CynergisTek, an IT security consulting firm in Austin, Texas, says it can cost around $150 on average to encrypt one laptop.

"Is that not worth it?" McMillan asks.

McMillan, a 30-year veteran in the security and risk management industry and former director of security for two Department of Defense agencies, says one of the first steps is to conduct a cost benefit analysis and determine what needs to be encrypted.

Davis, of Ministry Health Care, says the answer, "quite simply, is encryption, and there is no excuse not to take this on based on the breaches of more than 500 individuals reported to HHS since September, the majority of them being related to lost or stolen devices."

In a privacy update presentation to one of her organization's large hospitals, Thursday, May 13, Davis suggested these prevention methods:

• Eliminate storage of files on hard drives, CD's, flash drives, etc.
• Encrypt laptops
• Have remote access through approved method (e.g., Citrix, VPN)
• Follow established privacy and security policies

And it doesn't cost much to comply, Boggan says.

"Think you can't afford to do so?" she asks. "Consider the cost of setting up free credit reporting for 9,600-plus individuals for a year, sending out notification to these individuals that their information may have been breached, adding additional staff to field phone calls and inquiries from concerned patients, plus being subject to [HITECH) Tier D fines: willful neglect, not corrected, is up to $1.5 million. I believe one would find it to be more cost efficient to be proactive rather than reactive."