It happened again, folks! A mid-sized medical practice lost a laptop bag and the medical records of thousands of patients along with it, incurring a whopping fine in the process. And here’s the real lede to this story: encrypting the equipment in the bag — and training the employee to use it properly — would have stopped all this hoopla right in its tracks.
The story is an oft-told one: An employee’s laptop bag was stolen out of his car. The bag contained a backup disk with some 55,000 people’s medical records on it, and there was no encryption to be found. The fines which followed this breach were large, but aren’t really important to our story (because they’re the kinds of fines you get when you’re big enough to lose 55,000 records in one go.)
The solution, however, is the same for the big practice as it is for us. So why didn’t they use it?
Why Would Encryption Have Been The Fix?
Regular readers may already know this, but we’ll recap quickly to get everyone on board (and a little review never hurts.)
When we use what’s called “full-disk encryption” or “full-device encryption” on our computer equipment and backup equipment, we render all information on them completely unreadable to anyone who doesn’t have the password.
That means that a full-disk encrypted gadget that gets lost is extremely well protected from prying eyes. The protection is so strong, in fact, that even if you lose a full-disk encrypted computer or backup drive, you very likely won’t have to report that loss to the federal government (assuming you’ve properly dotted your i’s and crossed your t’s, of course. We cover that i dotting and t crossing in our Digital Confidentiality course series.)
Why Would Encryption Be An Easy Fix?
In the case of the medical practice we’re discussing here, the report of the laptop bag’s loss is what lead to the investigation, which in turn lead to HIPAA fines. Remember, full disk encryption likely would have prevented the need to make that report in the first place.
The big irony is that applying full disk encryption to computers and backup disks is really easy. On a Macintosh, you just click some buttons. On Windows, you need to make sure you have the right setup, but then it’s also just a matter of clicking some buttons.
For those of you not subscribed to our help services, directions for activating encryption may also be findable elsewhere. Here are some links to get you started.
Encrypting your stuff is, in the grand scheme, very easy to do.
For our Person-Centered Tech Support subscribers, we even have videos that demonstrate how to enable full-disk encryption on Macs, Windows computers, iPhones, iPads and Android devices. No tech help necessary: see How Do I Get Full Disk Encryption on My Device?.
If you’re curious about Person-Centered Tech Support, click here to learn more→
What The Feds’ Say Went Wrong
In the press release from the Office of Civil Rights (“The HIPAA People”), they identified two issues which they say are of particular importance to the final enforcement decision:
- “[The practice]Â had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012”
- “[The practice] did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization.”
What’s interesting is that the OCR did not point to the lack of encryption as of particular importance to their enforcement decision. What they noted was that:
- The practice didn’t do a risk analysis and…
- The lack of a risk analysis meant that the practice was oblivious to a very important security issue facing them, which was that they had staff members carrying sensitive gear in and out of the facility on a regular basis.
A simple risk analysis would have made it obvious that the practice needs to talk to their employees about how to keep equipment safe when they take it away from the facility, and that the practice needs to get into a habit of applying full-disk encryption to all their laptops and backup media.
Such a program of instruction and encryption would likely have made the laptop theft more like an inconvenience than a full-blown security breach. Even the most basic HIPAA-compliant risk analysis would have made this fact obvious to everyone in the practice.
Recommendations
The most important recommendation is still the one the Feds give: perform a risk analysis for your practice. We agree with them that this is the most important early step.
Normally, at Person-Centered Tech we discourage clinicians from embarking on buying new gear or services, or enacting new security procedures, before they’ve taken a holistic look at their practice’s needs. It’s very easy to get bogged down in processes and stuff you don’t need or that make your security worse if you don’t take a big-picture look at what you need first.
However, we make an exception to that rule for two things. One of those things is applying full-disk encryption to your devices that are capable of doing it. The other is turning on two-factor authentication for your email and other online services. It is near-impossible to go wrong with either of those in the current world environment.
So stay calm and encrypt. And take joy in the knowledge that you’ve taken one vital step for protecting your clients and yourself.
It is surprising to me that having your “full disk encrypted” is viewed by regulators as sufficient protection when a laptop is lost/stolen. Can’t the criminal just run software to determine the password and un-encrypt the entire disk? That does not seem very hard to do if that is the thief’s MO for getting PHI.
That’s why your password needs to be exceptionally strong for it to “count.” Passphrases are strongly recommended for encryption for this reason. The passphrase should be long and random enough that it would normally take decades to guess.
This is actually something we discuss in Level II of our course series, btw.
Here’s is the on-demand version: https://personcenteredtech.com/client-centered-hipaa-and-technology-live-online-learning-groups/
Here’s the upcoming live version: https://personcenteredtech.com/2016/02/25/free-ceu-digital-ethics-live-learning-groups-for-spring/