The trusted source for
healthcare information and
HIPAA Regulatory Alert
Beware of breach sources: Laptops and flash drives
Passwords, encryption, and VPNs cut risks
Fifty percent of data breaches are related to theft of portable or easily moved devices such as laptops, flash drives, and desktop computers, according to the most recent report from the Health Information Trust Alliance, a national consortium of healthcare professionals that focuses on healthcare data security.1
Employees at Henry Ford Health System (HFHS) in Detroit know that these statistics are true after experiencing the theft of a laptop from an office and a flash drive dropped in a parking lot in a three-month span of time.
"The laptop was stolen when an employee left his office door unlocked so his secretary could get something from it while he was gone," explains Meredith Phillips, MHSA, CHC, CHPC, chief privacy officer in the office of corporate compliance for HFHS. Due to a delay in the discovery that the laptop was missing and a further delay in notifying Phillips' office, 54 days passed before the hospital notified patients about the potential breach, she says. "This was within the 60-day time limit set by HITECH, but it took longer than we want it to take," she adds.
The publicity of the potential loss of data and additional training increased all HFHS employees' awareness. Less than three months later, a resident discovered that a flash drive had fallen off his key chain at some point while he was at dinner away from the hospital. A report was made to Phillips' office. "Because he reported it immediately and because he had stored a copy of the information he downloaded to the drive on the hospital's server, we were able to quickly identify which patients were affected," she says. Patient notification of the potential breach was made in 18 days for this incident, she adds.
The portability of laptops and flash drives increases convenience for employees who want to work at home, but they are easily stolen or lost, points out Marion Jenkins, PhD, FHIMSS, founder and chief executive officer of Englewood, CO-based QSE Technologies, which provides IT consulting for healthcare organizations. "I include desktop computers as portable devices in my own analysis because they are located at the edge of the network and on users' desks, which are often accessible by non-users," he explains.
Passwords not enough
Passwords can help protect the information, but many healthcare personnel don't use passwords appropriately, Jenkins says.
"There may be a password for the nursing station computer, but it is often a shared password for all of the nurses to make it simpler to access information," he says. "Shared usernames and passwords can be easily defeated by someone who wants to access the information."
The best protection is not to allow storage or downloads of any protected health information (PHI) to a laptop, flash drive, or desktop computer, says Jenkins. "Files and data should be stored on a server and accessed over the office local area network, or if the user is remote, over a secure VPN [virtual private network] connection," he says.
If employees do store information on laptops or flash drives, be sure they are encrypted, warns Jenkins. "Even if the laptop is stolen out of the employee's car, the thief must have the encryption key to access the information," he adds.
Because HFHS is a teaching hospital and many employees are involved in research, it is inevitable that people will need to download information onto a portable device, Phillips points out. "We've chosen to encrypt all portable devices used by HFHS employees," she says.
The ambitious program to identify and encrypt or replace portable devices used by the 24,000 health system employees started in late March 2011 with a 10-day event designed to identify all laptops, external hard drives, and flash drives. Stations located throughout the health system were manned by information technology staff from 6 a.m. to 6 p.m., she says. "We replace all unencrypted flash drives with encrypted drives and transfer the information for the employee, and we inventory all laptops and external hard drives and encrypt them as well," she says.
If an employee has a device that cannot be encrypted, HFHS will replace it with a laptop or hard drive that is encrypted, she adds. Phase II of the program, which will begin later in 2011, will address other devices such as smart phones and digital voice recorders, she says.
In addition to encrypting existing devices, Phillips department worked with information technology and purchasing to ensure that the only devices that will be issued to employees from this point comply with policies set by her department.
Enhanced educational efforts and a zero tolerance policy will protect HFHS from potential breaches, says Phillips. "Once we have successfully encrypted all devices, employees are expected to use them, not their personal, unencrypted devices," she says. "Employees who make a decision to use an unencrypted device to store PHI will be subject to termination."
1. Hourihan C. An Analysis of Breaches Affecting 500 or More Individuals in Healthcare. Health Information Trust Alliance, Frisco, TX. August 2010.
For more information about the risks of portable media, contact:
Marion K. Jenkins, PhD, FHIMSS, Founder and Chief Executive Officer, QSE Technologies, 359 Inverness Drive S., Suite K, Englewood, CO 80112. Telephone: (303) 283-8400. Fax: (303) 283-8401. E-mail: email@example.com.
Meredith R. Phillips, MHSA, CHC, CHPC, Chief Privacy Officer, Office of Corporate Compliance, Henry Ford Health System, 2799 W. Grand Blvd., Detroit, MI 48202. Telephone: (313) 874-5168. Fax: (313) 874-5608. E-mail: firstname.lastname@example.org.