According to a new Ponemon report, 94% of healthcare organizations surveyed have had at least one data breach in...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
the past two years, with the primary cause in nearly half of those cases being a lost or stolen device. What's the best way to avoid this kind of scenario as part of a HIPAA compliance training effort?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your questions today! (All questions are anonymous.)
The fact that sensitive data stored on lost or stolen devices continues to appear as one of the most significant causes of data breaches confounds me. This particular risk has appeared in surveys like this for years, despite the fact that there are inexpensive, effective controls available that could dramatically reduce the risk. Organizations subject to the Health Insurance Portability and Accountability Act (HIPAA) should be especially concerned about this risk due to the potentially severe consequences of a breach of protected health information (PHI).
If you want to avoid having your own organization contribute to these statistics, you should deploy full-disk encryption capabilities for the mobile devices in your enterprise. This capability, available through native operating system functionality and third-party products, renders the data stored on a mobile device unreadable without the corresponding decryption key. Essentially, it reduces the impact of such an incident from a potential privacy disaster to a simple case of losing a $1,500 computing device.
The Ponemon Institute report introduces the lost laptop trend with the subheading "Insider negligence continues to be at the root of the data breach" [pdf]. I can't disagree with this sentiment more. Organizations simply must realize that people are going to lose laptops, tablets and other computing devices. In my view, it is incumbent upon IT professionals to deploy encryption controls that mitigate the risk associated with such a loss. It's simply unreasonable to believe that education will prevent the loss or theft of systems.
At the same time, HIPAA-covered entities should include coverage of these controls in their initial and recurring awareness training programs. Employees should be acutely aware of the types of information that are considered PHI within their organizations and the types of controls necessary to protect it. If your organization adopts a "no PHI on mobile devices" policy, users should clearly understand what data is and is not allowed. On the other hand, with a "PHI on encrypted devices only" approach, it should be easy for staff to identify those devices that are protected appropriately to handle sensitive information. All of these topics should be a recurring part of a company's compliance training program.
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? ...continue reading
Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations ...continue reading
The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.