Reducing the Risk of a Breach of PHI from Mobile Devices

Latest HHS Fine Hits The Massachusetts Eye and Ear Infirmary

by Rick Kam, ID Experts

The Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (MEEI), will pay $1.5 million to the Department of Health and Human Services (HHS) for potential violations of the HIPAA Security Rule. In the HHS release, they explain that it wasn’t just one issue or misstep that led to the fine, but rather a series of errors and inaction.

“…such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and response.”

This was for a breach in February 2010 from an unencrypted laptop that contained ePHI – including patient prescriptions and clinical information – of some 3,621 individuals. If you’re doing the math, that’s $414 per record. How much would it have cost them to do a risk assessment, or to implement a privacy incident management process? This type of under investment isn’t surprising, according to the March 2012 ANSI study titled “The Financial Impact of Breached PHI – A Business Case for Enhanced PHI Security”, organizations are under invested in protecting PHI.

Here are 3 tips organizations can use to reduce the risk of a breach of PHI from mobile devices.

1. Consider geolocation tracking software or services for mobile devices.

Geolocation tracking software is a low-cost insurance policy against loss or theft that can immediately track, locate, or wipe the device of all data. The majority of healthcare organizations currently lack sufficient resources to prevent or detect unauthorized patient data access, loss or theft. And lost or stolen computing or data devices are the number one reason for healthcare data breach incidents.

2. Brick the mobile device when it is lost or stolen.

From Jon A. Neiditz, partner, Nelson Mullins Riley & Scarborough. In the last year, we have seen greater acceptability among employees of “remote wipe” processes that “brick” the entire device when it is lost or stolen, rather than just wiping the encrypted silo of corporate information, for example. The reason that bricking the entire device is more acceptable, in our view, is that personal data is now more frequently backed up in cloud storage, so the bricking of the entire device does not result in data loss, and protects the employee as well as the company. This is the first tip in the context of BYOD programs.

3. Encrypt.

From Chris Apgar, CISSP, president and CEO, Apgar and Associates. All mobile devices and the often-overlooked media, such as USB drives, should be encrypted if they will be used remotely. The cost of encryption is modest and is sound insurance against what has been demonstrated to be a significant risk to healthcare organizations. Most breaches do not occur because of cybercrime. They are associated with people. Even if organizations allow their employees to use their own tablets, laptops and smartphones, they should require encryption if there is a possibility sensitive data will be stored on those devices. Organizations may have a policy prohibiting the storage of sensitive information on personally owned devices, but it is a very hard policy to enforced. At the very least, organizations should require the use of company owned and encrypted portable media.

Rick Kam, CIPP, is founder and president of ID Experts where this post was originally published. He is an expert in privacy and information security. His experience includes leading organizations in policy and solutions to address protecting PHI/PII and resolving privacy incidents and identity theft. He is the chair of the ANSI PHI Project, Identity Management Standards Panel and the Santa Fe Group Vendor Council ID Management working group. He is also an active member of the International Association of Privacy Professionals and is a member of the Research Planning Committee for the Center Identity which is part of the University of Texas Austin.