If you work in a healthcare organization and you have a laptop it should be encrypted. We have heard many discussions about why a laptop does not need to be encrypted. Some of the reasons include; it doesn’t contain patient information or it never leaves the office or it never leaves our employee’s possession.
Laptops are one of the leading causes of healthcare related data breaches. These devices are easily stolen or lost. Not encrypting them is just asking for trouble. Not encrypting them is just negligent.
Below is just another example of how an unencrypted laptop could cause a HIPAA data breach
Some 57,000 patients seen at the Palo Alto, Calif.-based Lucile Packard Children’s Hospital have been notified of a potential HIPAA-breach after an unencrypted company laptop containing patient medical information was stolen from a physician’s car Jan. 9.
The following are some basic facts about laptop encryption. After reading them I wonder how organizations can say they don’t need to encrypt their laptops.
- Laptop encryption has no noticeable effect on the laptop. Once the laptop is encrypted you won’t even know that the encryption is on the laptop besides the normal Windows login process. I have personally encrypted my laptop and can honestly say that it functions exactly the same as before the encryption was installed. The only difference is that the folders in Windows Explorer are green to represent that data is encrypted. I have not noticed any other difference.
- Laptop encryption is cheap. HIPAA Secure Now! charges less than $100 to encrypt a laptop. If you have 5 laptops you are looking at under $500 to encrypt all your laptops.
- Laptops that are encrypted are a “Safe Harbor” under the HIPAA Security Rule. Put another way, if a laptop is encrypted and it is lost or stolen, patients do not need to be notified of the breach.
- Data breaches are expensive. Think about the effort to try to figure out what data was on a lost or stolen laptop. Think about the effort to determine which patients were affected and need to be notified. Think about the effort to put together a breach notification letter (Hint: legal costs alone will add up quickly). Think about the cost of offering credit monitoring services to patients. Think about the lost trust your patients will have with your organization. Altogether these cost and ramifications add up.
The laptop doesn’t contain patient information
Our recommendation is to not worry about what the laptop contains but worry about what the laptop COULD contain.
- The laptop could contain patient information stored within an email. Emails could be on the laptop and stored within Microsoft Outlook.
- The laptop could contain patient information stored in a Microsoft Word, Excel or Acrobat PDF file.
- Patient information could be transferred to the laptop via a USB drive.
- Reports with patient information could be downloaded from an EHR and stored on the laptop.
It is important to perform a HIPAA Risk Assessment. As part of the Risk Assessment each of an organization’s laptops should be analyzed. If the Risk Assessment determines that there is a risk to patient information on the laptop considering some of the above scenarios, then the laptop should be encrypted.
Laptops are a real liability to an organization. They are easily lost or stolen and could contain patient information. The price to encrypt a laptop is nominal and there really is no good argument against implementing laptop encryption.
As mentioned, organizations need to perform a Risk Assessment to determine the likelihood of risks and what additional security measures should be put in place to protect patient information. Download our free guide to better understand the HIPAA Risk Assessment process.