With over 30 million patient records breached since 2009 (and that only includes the breaches that have been reported. The actual number is probably much higher) there is a real crisis with protecting patient information. We keep hearing about healthcare organizations having breaches due to lost or stolen laptops and portable media (USB drives, CD/DVDs, Smartphones, etc.). Below are some of the recent breaches due to lost or stolen laptops and portable media.
The Georgia Department of Behavioral Health and Developmental Disabilities (DBHDD) announced earlier this week that a laptop containing protected health information (PHI) of approximately 3,000 patients was stolen from an employee’s car on Aug. 14, 2014.
“DBHDD is reinforcing our information security practices to protect against future data breaches,”
Those active steps include strengthening department policies and procedures related to PHI and also increasing training on security awareness regarding DBHDD-issued laptops, explained the DBHDD statement. Moreover, the department is also working to ensure that all laptops are encrypted and that PHI can only be accessed using a virtual private network (VPN). This would ideally prevent protected data from being stored on a laptop.
DBHDD is encrypting the laptops AFTER they had a breach
Some 44,000 Arizona retirees may have had their personal data compromised in a security breach.
Officials say the problem began last month when the system sent two unencrypted computer discs containing the first and last names and Social Security numbers of members enrolled in ASRS dental plans to a benefits company in Kansas City, Missouri.
The company informed the ASRS that it hadn’t received the discs by the end of September.
Organizations need to understand that PHI is extremely sensitive information. They need to safeguard this information. Breaches are happening everyday and the reality is that a majority of HIPAA related breaches are due to lost or stolen laptops and portable media. Any PHI on laptops or portable media needs to be encrypted. Encryption is not expensive, encryption is not difficult to implement, encryption is not difficult to use but yet most healthcare organizations have not implemented encryption to protect PHI.
One of the first steps to protecting PHI is figuring out where PHI is stored. An organization needs to take an inventory of where PHI is stored or accessed. At the very least, any PHI that is on laptops or portable media should be encrypted. Without these basic protections, we are going to continue to hear about more HIPAA related breaches.
Understand a HIPAA / Meaningful Use
Organizations need to perform a Risk Assessment to determine the likelihood of risks and what additional security measures should be put in place to protect patient information.
to better understand the HIPAA Risk Assessment process