According to a new Ponemon report, 94% of healthcare organizations surveyed have had at least one data breach in...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
the past two years, with the primary cause in nearly half of those cases being a lost or stolen device. What's the best way to avoid this kind of scenario as part of a HIPAA compliance training effort?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your questions today! (All questions are anonymous.)
The fact that sensitive data stored on lost or stolen devices continues to appear as one of the most significant causes of data breaches confounds me. This particular risk has appeared in surveys like this for years, despite the fact that there are inexpensive, effective controls available that could dramatically reduce the risk. Organizations subject to the Health Insurance Portability and Accountability Act (HIPAA) should be especially concerned about this risk due to the potentially severe consequences of a breach of protected health information (PHI).
If you want to avoid having your own organization contribute to these statistics, you should deploy full-disk encryption capabilities for the mobile devices in your enterprise. This capability, available through native operating system functionality and third-party products, renders the data stored on a mobile device unreadable without the corresponding decryption key. Essentially, it reduces the impact of such an incident from a potential privacy disaster to a simple case of losing a $1,500 computing device.
The Ponemon Institute report introduces the lost laptop trend with the subheading "Insider negligence continues to be at the root of the data breach" [pdf]. I can't disagree with this sentiment more. Organizations simply must realize that people are going to lose laptops, tablets and other computing devices. In my view, it is incumbent upon IT professionals to deploy encryption controls that mitigate the risk associated with such a loss. It's simply unreasonable to believe that education will prevent the loss or theft of systems.
At the same time, HIPAA-covered entities should include coverage of these controls in their initial and recurring awareness training programs. Employees should be acutely aware of the types of information that are considered PHI within their organizations and the types of controls necessary to protect it. If your organization adopts a "no PHI on mobile devices" policy, users should clearly understand what data is and is not allowed. On the other hand, with a "PHI on encrypted devices only" approach, it should be easy for staff to identify those devices that are protected appropriately to handle sensitive information. All of these topics should be a recurring part of a company's compliance training program.
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
It's hard to tell if a company is a HIPAA business associate, but a closer look at HHS documents helps. Expert Mike Chapple discusses a specific case...continue reading
There was speculation in the security world over whether the FedRAMP certification would be helpful or not. Now that it's in full use, Mike Chapple ...continue reading
Medical device companies are part of the health industry, but does that make them a HIPAA covered entity or business associate? Expert Mike Chapple ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.