According to a new Ponemon report, 94% of healthcare organizations surveyed have had at least one data breach in the past two years, with the primary cause in nearly half of those cases being a lost or stolen device. What's the best way to avoid this kind of scenario as part of a HIPAA compliance training effort?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your questions today! (All questions are anonymous.)
The fact that sensitive data stored on lost or stolen devices continues to appear as one of the most significant causes of data breaches confounds me. This particular risk has appeared in surveys like this for years, despite the fact that there are inexpensive, effective controls available that could dramatically reduce the risk. Organizations subject to the Health Insurance Portability and Accountability Act (HIPAA) should be especially concerned about this risk due to the potentially severe consequences of a breach of protected health information (PHI).
If you want to avoid having your own organization contribute to these statistics, you should deploy full-disk encryption capabilities for the mobile devices in your enterprise. This capability, available through native operating system functionality and third-party products, renders the data stored on a mobile device unreadable without the corresponding decryption key. Essentially, it reduces the impact of such an incident from a potential privacy disaster to a simple case of losing a $1,500 computing device.
The Ponemon Institute report introduces the lost laptop trend with the subheading "Insider negligence continues to be at the root of the data breach" [pdf]. I can't disagree with this sentiment more. Organizations simply must realize that people are going to lose laptops, tablets and other computing devices. In my view, it is incumbent upon IT professionals to deploy encryption controls that mitigate the risk associated with such a loss. It's simply unreasonable to believe that education will prevent the loss or theft of systems.
At the same time, HIPAA-covered entities should include coverage of these controls in their initial and recurring awareness training programs. Employees should be acutely aware of the types of information that are considered PHI within their organizations and the types of controls necessary to protect it. If your organization adopts a "no PHI on mobile devices" policy, users should clearly understand what data is and is not allowed. On the other hand, with a "PHI on encrypted devices only" approach, it should be easy for staff to identify those devices that are protected appropriately to handle sensitive information. All of these topics should be a recurring part of a company's compliance training program.
This was first published in April 2013