{"id":3041,"date":"2020-08-04T09:35:55","date_gmt":"2020-08-04T09:35:55","guid":{"rendered":"https:\/\/www.empowerelearning.com\/blog\/?p=3041"},"modified":"2020-08-04T09:35:55","modified_gmt":"2020-08-04T09:35:55","slug":"why-you-need-to-encrypt-your-devices-unencrypted-laptop-costs-more-than-1-million-to-a-healthcare-provider","status":"publish","type":"post","link":"https:\/\/www.empowerelearning.com\/blog\/why-you-need-to-encrypt-your-devices-unencrypted-laptop-costs-more-than-1-million-to-a-healthcare-provider\/","title":{"rendered":"Why you need to encrypt your devices &#8211; Unencrypted laptop costs more than $1 million to a healthcare provider"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Beware if you\u2019re using laptops, tablets and mobile phones for work purposes. You must encrypt your devices for complying with HIPAA rules. Using unencrypted laptops and other mobile devices is considered unsafe. If such a device is stolen, you could risk the privacy and security of patient information.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Such negligence has cost Lifespan a penalty of more than $1 million. Lifespan also has to take part in a corrective action plan monitored by the Health and Human Services (HHS). The compliance term would last for two years.<\/span><\/p>\n<h2><b>Unencrypted laptop costs $1 million to a healthcare provider<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">On July 27, the HHS slapped a <\/span><a href=\"https:\/\/www.hhs.gov\/about\/news\/2020\/07\/27\/lifespan-pays-1040000-ocr-settle-unencrypted-stolen-laptop-breach.html\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">penalty of $1,040,000<\/span><\/a><span style=\"font-weight: 400;\"> on Lifespan ACE for neglecting HIPAA privacy and security rules. This fine is a result of an OCR investigation into a 2017 laptop theft. The theft exposed the data of 20,431 patients. It\u2019s the largest HIPAA enforcement action in 2020.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">On February 25, 2017 thieves broke into the car of a Lifespan employee and stole many items. One of the stolen items was a MacBook laptop that the employee used for work purposes. The laptop had protected health information of Lifespan patients. It was never recovered. Lifespan filed a breach report with OCR about the theft on April 21, 2017.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As per Lifespan, they took prompt action to secure the employees email account by changing employee\u2019s login details. But, Lifespan also confirmed that the employee\u2019s work emails may have been cached in a file on the laptop\u2019s hard drive.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The laptop wasn\u2019t encrypted, and no password was required to access the device. Thieves had access to information, such as patient names, medical record numbers, and their medication records. Stolen information may have included the information for patients across various affiliated entities of Lifespan.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The HHS investigation uncovered systematic non-compliance of <\/span><a href=\"https:\/\/www.empowerelearning.com\/blog\/the-three-rules-of-hipaa-the-basics-you-need-to-know\/\"><span style=\"font-weight: 400;\">HIPAA Rules<\/span><\/a><span style=\"font-weight: 400;\"> by Lifespan. The non-compliant behavior included \u2013\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Failure to encrypt their devices\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Lack of device and media controls<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Absence of a business associate agreement with Lifespan Corporation<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">HHS also found that Lifespan did not put in place policies and procedures for encrypting, tracking and inventory of devices that accessed their network or contained PHI.\u00a0<\/span><\/p>\n<h2><b>Lifespan must encrypted their devices<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Lifespan also agreed to <\/span><a href=\"https:\/\/www.hhs.gov\/sites\/default\/files\/lifespan-ra-cap-signed.pdf\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">enter a corrective action<\/span><\/a><span style=\"font-weight: 400;\"> (CAP) plan with the HHS. Lifespan must follow the CAP, and cure the breach. <\/span><b>\u00a0<\/b><span style=\"font-weight: 400;\">Some steps that Lifespan needs to take are &#8211;\u00a0<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Review its business relationships. If a relationship meets the criteria of a business associate, then it must enter into a business associate agreement with those providers.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Limit PHI disclosures. Only minimum necessary information should be disclosed to business associates.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Submit an Encryption and access control report to HHS. The report would cover\u00a0<\/span>\n<ol>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Encryption of devices that handle protected health information.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Network Access control\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Status of their mobile device management (MDM) solution<\/span><\/li>\n<\/ol>\n<\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Review and revise device and media controls policy<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Distribute the new policies and procedures to workers who access PHI.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/www.empowerelearning.com\/blog\/who-should-take-hipaa-training-and-why-its-so-important\/\"><span style=\"font-weight: 400;\">Provide training<\/span><\/a><span style=\"font-weight: 400;\"> to their workforce on device and media control\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Investigate and report violations of the aforesaid policies and procedures to HHS that occur during the compliance term.\u00a0<\/span><\/li>\n<\/ol>\n<h2><b>Why is encryption important in healthcare?\u00a0<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">This settlement highlights the value of encryption and access control for healthcare providers. Lack of the two safeguards could prove to be really costly. Especially now, when most healthcare employees are working from home due to COVID-19. Some may even be using their personal equipment for work purposes.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Home networks aren\u2019t always as safe as office networks. Under such conditions, all healthcare providers need to consider conducting a risk assessment urgently.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You may have been compliant with the HIPAA rules when the protected health information was stored, used and disclosed within your internal networks. But now that your employees are using the Internet for work purposes, or if they are using personal equipment, you should reassess if your organization is compliant with the security rule or not.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Under the security rule, use of encryption is an addressable standard. You may choose to not to encrypt your devices, but only if your risk assessment determines that the risk to PHI isn\u2019t significantly high. You\u2019d also need to put in place an equally effective alternative of encryption.\u00a0<\/span><\/p>\n<h2><b>Is cloud storage more secure than encrypting devices?<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">One way of securing remote communications is using cloud service providers. Unfortunately, even using a secure cloud service provider might not be enough. Cloud service providers are responsible only for the physical security of their servers. You as a customer own the responsibility for securing data-in-transit.<\/span><\/p>\n<h2><b>How protected is PHI with a VPN?<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">One way of encrypting your traffic is using a VPN. VPNs are encrypted Internet connections that let users transmit sensitive information over the Internet. People without access to your VPN cannot intercept it.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Similarly, using a VPN can also help you to manage access control. You can delegate different levels of access to your employees. VPN can also help stop unauthorized access to your network.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Besides, using VPN doesn\u2019t eliminate the risk. If you are using a cloud VPN, then the risk to protected health information would become high as soon as your communication reaches the cloud. Similar risks exist with the use of point-to-point VPNs too. It\u2019s possible for hackers to break into your network, and steal the PHI.\u00a0<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">E<\/span><b>ncrypting your devices with MDM<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Under such conditions, a better approach would be encrypting your data before sending it, even if you are using a VPN. For this purpose, you should look into the Mobile Device Management (MDM) solution.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">MDM let you manage and secure mobile devices that connect to your network. You can implement HIPAA security measures, such as encrypting data and enforcing strict login rules. With an MDM, you can put in place access control measures too. Access control would let you limit access of certain folders and applications based on job roles.\u00a0<\/span><\/p>\n<h2><b>In Conclusion\u00a0<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The risk of using mobile devices for healthcare purposes has always been high. Even accidental exposure of PHI can lead to a HIPAA violation. You can reduce these risks only by putting robust security measures in place. Encrypting your devices is one such measure. Even the HHS notes that if your protected health information was encrypted, then it won\u2019t be considered as \u2018unsecured PHI\u2019.\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">How did you modify your HIPAA security plan after the COVID-19 pandemic? What new measures have you introduced to protect PHI? Please leave a comment below to share your ideas with our readers.\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Beware if you\u2019re using laptops, tablets and mobile phones for work purposes. You must encrypt your devices for complying with HIPAA rules. Using unencrypted laptops and other mobile devices is considered unsafe. If such a device is stolen, you could risk the privacy and security of patient information.\u00a0 Such negligence has cost Lifespan a penalty [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":3042,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,138,140,9,139],"tags":[79,46,110,77],"class_list":["post-3041","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education","category-elearning","category-empower","category-hipaa","category-lms","tag-elearning-lms","tag-empower","tag-healthcare","tag-hipaa"],"_links":{"self":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/posts\/3041","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/comments?post=3041"}],"version-history":[{"count":0,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/posts\/3041\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/media\/3042"}],"wp:attachment":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/media?parent=3041"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/categories?post=3041"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/tags?post=3041"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}