HIPAA Security and Laptop Theft

The following guest post is provided by Bob Chaput, President of Data Mountain LLC, a data security, disaster recovery and data protection services firm. HITECH Answers is affiliated with Data Mountain through an Online Data Backup and Recovery Service Checklist.

Laptops gone Wild!

Here’s the scenario

A healthcare executive at a major national hospital company with both mission-critical data and electronic Protected Health Information (ePHI) on her laptop travels to San Francisco for a conference.  At the crowded airport check-in, she removes her laptop from her briefcase to clear security.  She walks through the security check, says hi to a colleague she hasn’t seen in a while.

When she looks down, the laptop is gone.   Could this happen to you?

A rush of faces go by, including customers, competitors and colleagues.  Her heart skips a beat, then two.  After a wave of nausea has abated, the panic subsides. She reaches for her phone.

According to the blogosphere this week, laptops have just recently started to go wild and disappear.  Tell us something new!  Studies show that on average a laptop disappears every 43 seconds in the US alone… that’s about 12,000 per week.  12,000 per week!  I suppose it’s not surprising that these valuable devices go missing.  What is totally surprising is the lack of data loss protection and data breach protection given the technologies that have been around for the last 10 years.

What the HHS Data Breach ‘Wall of Shame’ Tells Us

Over 80 data breaches are posted with a significant percentage attributed to loss or theft of laptops (25-30%).  The ePHI of almost 2.5 million Americans has been breached since the HHS reporting started in February.  Again, a large percentage from theft or loss of laptops.

Back to our busy, anxious healthcare executive … in this case, a call to her IT folks in New York triggers a response right out of a Bond movie: The thief won’t get much information from her computer because the files—which are already remotely backed-up and encrypted from the laptop—are fizzled, remotely sent up in smoke, destroyed, like a black-powder charge inside an analog tape.  The next day, a perfectly mirrored backup of her laptop arrives via FedEx from IT. It’s as if nothing ever happened.

What to do

Yet as the San Francisco – New York near-nightmare reveals, preparing constantly for the unforeseeable may be difficult and complex … but doable.  In this day-and-age, there are many practical, actionable steps one can take today to get those laptops in control and road warriors prepared.  Start here:

  • Complete your HIPAA Security-mandated risk analysis – know where all ePHI is located
  • Get you Policies and Procedures up to date and communicated
  • Implement Lost Data Destruction tools
  • Encrypt data on laptops
  • Ensure all data is regularly backed up and recoverable

Bob Chaput is President of Data Mountain LLC, a data security, disaster recovery and data protection services firm.  Data Mountain specializes in helping Covered Entities and Business Associates assure they are compliant with the Contingency Plan Standard of the HIPAA Security Law and The HITECH Act.