Why you need to encrypt your devices – Unencrypted laptop costs more than $1 million to a healthcare provider

Beware if you’re using laptops, tablets and mobile phones for work purposes. You must encrypt your devices for complying with HIPAA rules. Using unencrypted laptops and other mobile devices is considered unsafe. If such a device is stolen, you could risk the privacy and security of patient information. 

Such negligence has cost Lifespan a penalty of more than $1 million. Lifespan also has to take part in a corrective action plan monitored by the Health and Human Services (HHS). The compliance term would last for two years.

Unencrypted laptop costs $1 million to a healthcare provider

On July 27, the HHS slapped a penalty of $1,040,000 on Lifespan ACE for neglecting HIPAA privacy and security rules. This fine is a result of an OCR investigation into a 2017 laptop theft. The theft exposed the data of 20,431 patients. It’s the largest HIPAA enforcement action in 2020.

On February 25, 2017 thieves broke into the car of a Lifespan employee and stole many items. One of the stolen items was a MacBook laptop that the employee used for work purposes. The laptop had protected health information of Lifespan patients. It was never recovered. Lifespan filed a breach report with OCR about the theft on April 21, 2017. 

As per Lifespan, they took prompt action to secure the employees email account by changing employee’s login details. But, Lifespan also confirmed that the employee’s work emails may have been cached in a file on the laptop’s hard drive. 

The laptop wasn’t encrypted, and no password was required to access the device. Thieves had access to information, such as patient names, medical record numbers, and their medication records. Stolen information may have included the information for patients across various affiliated entities of Lifespan. 

The HHS investigation uncovered systematic non-compliance of HIPAA Rules by Lifespan. The non-compliant behavior included – 

  • Failure to encrypt their devices 
  • Lack of device and media controls
  • Absence of a business associate agreement with Lifespan Corporation

HHS also found that Lifespan did not put in place policies and procedures for encrypting, tracking and inventory of devices that accessed their network or contained PHI. 

Lifespan must encrypted their devices

Lifespan also agreed to enter a corrective action (CAP) plan with the HHS. Lifespan must follow the CAP, and cure the breach.  Some steps that Lifespan needs to take are – 

  1. Review its business relationships. If a relationship meets the criteria of a business associate, then it must enter into a business associate agreement with those providers. 
  2. Limit PHI disclosures. Only minimum necessary information should be disclosed to business associates. 
  3. Submit an Encryption and access control report to HHS. The report would cover 
    1. Encryption of devices that handle protected health information.
    2. Network Access control 
    3. Status of their mobile device management (MDM) solution
  4. Review and revise device and media controls policy
  5. Distribute the new policies and procedures to workers who access PHI. 
  6. Provide training to their workforce on device and media control 
  7. Investigate and report violations of the aforesaid policies and procedures to HHS that occur during the compliance term. 

Why is encryption important in healthcare? 

This settlement highlights the value of encryption and access control for healthcare providers. Lack of the two safeguards could prove to be really costly. Especially now, when most healthcare employees are working from home due to COVID-19. Some may even be using their personal equipment for work purposes. 

Home networks aren’t always as safe as office networks. Under such conditions, all healthcare providers need to consider conducting a risk assessment urgently.

You may have been compliant with the HIPAA rules when the protected health information was stored, used and disclosed within your internal networks. But now that your employees are using the Internet for work purposes, or if they are using personal equipment, you should reassess if your organization is compliant with the security rule or not. 

Under the security rule, use of encryption is an addressable standard. You may choose to not to encrypt your devices, but only if your risk assessment determines that the risk to PHI isn’t significantly high. You’d also need to put in place an equally effective alternative of encryption. 

Is cloud storage more secure than encrypting devices?

One way of securing remote communications is using cloud service providers. Unfortunately, even using a secure cloud service provider might not be enough. Cloud service providers are responsible only for the physical security of their servers. You as a customer own the responsibility for securing data-in-transit.

How protected is PHI with a VPN?

One way of encrypting your traffic is using a VPN. VPNs are encrypted Internet connections that let users transmit sensitive information over the Internet. People without access to your VPN cannot intercept it. 

Similarly, using a VPN can also help you to manage access control. You can delegate different levels of access to your employees. VPN can also help stop unauthorized access to your network. 

Besides, using VPN doesn’t eliminate the risk. If you are using a cloud VPN, then the risk to protected health information would become high as soon as your communication reaches the cloud. Similar risks exist with the use of point-to-point VPNs too. It’s possible for hackers to break into your network, and steal the PHI. 

Encrypting your devices with MDM

Under such conditions, a better approach would be encrypting your data before sending it, even if you are using a VPN. For this purpose, you should look into the Mobile Device Management (MDM) solution.

MDM let you manage and secure mobile devices that connect to your network. You can implement HIPAA security measures, such as encrypting data and enforcing strict login rules. With an MDM, you can put in place access control measures too. Access control would let you limit access of certain folders and applications based on job roles. 

In Conclusion 

The risk of using mobile devices for healthcare purposes has always been high. Even accidental exposure of PHI can lead to a HIPAA violation. You can reduce these risks only by putting robust security measures in place. Encrypting your devices is one such measure. Even the HHS notes that if your protected health information was encrypted, then it won’t be considered as ‘unsecured PHI’.  

How did you modify your HIPAA security plan after the COVID-19 pandemic? What new measures have you introduced to protect PHI? Please leave a comment below to share your ideas with our readers. 

Jessica Holland

Jessica Holland

Like this post? Subscribe to receive updates directly in your inbox.