When you think of a data breach, you typically think of a digital breach – a virtual hack to an organization’s network that wreaks havoc for all victims of the crime. However, alongside today’s digital crime remains a good amount of analog crime. Lurking within our communities are bad actors who still employ the good ol’ five-fingered discount method of theft. Health and Human Services (HHS), in fact, reports that half of all U.S. data breach incidents tracked in 2017 – a record high 1,579 breaches – involved stolen mobile devices.
Amid these alarming statistics, we find some solace knowing much of this data theft is avoidable. HHS estimates about 60 percent of all healthcare breaches reported last year involving stolen mobile devices could have been prevented if only the data were encrypted. Think of this: if 3 out of 5 providers who fell victim to mobile device theft last year were to have had their data and devices encrypted, the thieves would have been left with only the stolen notebook computers, tablets, or smartphones – but not the devices’ valuable Protected Health Information (PHI) content.
In 2009, Congress passed the Health Information Technology for Economic and Clinical Health (HITRUST) Act as part of a series of financial incentives and penalties to compel hospitals and health care professionals to become “meaningful” users of certified EHR technology. While the HITRUST Act does not require encryption of PHI, it does explicitly exempt encrypted PHI. HHS does not consider it a breach if the PHI on a mobile device that’s been lost or stolen is encrypted. Owners of lost or stolen devices, therefore, do not have to report such incidents to the agency or to their patients. Simply put, routine encryption of data and drives is a smart strategy that would help your organization avoid a potentially devastating breach remediation effort.
While your organization may have strict policies about storing PHI on mobile devices, the reality is you can’t really prevent your providers from storing patient records locally on their drives. If they do, you’re at constant risk of a breach. This is all the more reason to be proactive about encrypting your mobile devices’ hard drives. One of the easiest ways to do this is to install Windows 10 on all of your computers, including laptops and notebooks. This current version of Windows has a built-in encryption program – you just have to turn it on. However, in order to ensure the encryption is properly managed, it is recommended that your IT department or managed service provider deploy an encryption management solution such as Deslock.
As an aside…Microsoft has announced it is ending support for Windows 7 on January 14, 2020 – does your organization have a plan to replace Windows 7? Microsoft will no longer provide security updates for this operating system which puts your ePHI at risk. 2020 is not that far off when you consider typical budget cycles! Make a plan! MTS strongly recommends that you move to Windows 10 sometime before January 2020 to avoid a situation where you need service or support that is no longer available or costly.
PHI is a valuable asset that’s coveted by hackers and thieves. Be proactive. Whether it be on a PC, tablet, or smartphone, we recommend you get into the immediate habit of encrypting all of your organization’s hard drives. It’s the smart move – one that can significantly reduce your security risk.