Encrypt laptops and smartphones to prevent data breaches

Loss or theft of mobile devices presents greatest risk

In April 2010, the laptop computer of a hospice nurse in the Chicago area was stolen. The theft of a mobile device is not that unusual. In fact, 50% of data breaches that affect 500 or more individuals reported to Health and Human Services are related to theft of portable or easily moved devices such as laptops, flash drives, and desktop computers, according to a report from the Health Information Trust Alliance, a national consortium of health care professionals that focuses on health care data security.1

The Health Information Technology for Economic and Clinical Health (HITECH) Act's Breach Notification Rule does not require an organization to report a breach incident, such as the theft of a device with protected health information, if the data are encrypted. For this reason, along with the fact that laptops, tablets, and smartphones are often used by hospice clinicians, encryption of mobile devices that contain PHI is critical, say experts interviewed by Hospice Management Advisor.

Unfortunately for the hospice in Chicago, the nurse's laptop was stolen while it was on and the electronic records system was open. Potential access to more than 500 patients' records meant the hospice had to report the breach to federal authorities as well as every patient.

The theft of a laptop while in use points out the need for well-developed policies and procedures as well as encryption, says Greg Solecki, privacy and information security officer for Community Care Services at Henry Ford Health System, which includes hospice, and vice president of Henry Ford at Home in Detroit, MI. "The good news is that in most cases of a laptop theft, the target is the laptop, not the information stored upon it," he says. "However, our policy requires that clinicians can never let a laptop out of their sight if it is on."

If a clinician is talking with family members and making notes on the patient's chart while sitting in the living room, then walks into the bedroom to check on the patient, the laptop must go with the clinician, points out Solecki. "This is especially important if there are multiple family members or friends that are in the home," he says. Henry Ford policies call for immediate discipline of an employee who doesn't follow proper procedure to protect PHI. "The level of discipline depends on if the action was willful or negligent and the consequences of the action," he explains. "We used to always give people the benefit of the doubt, but we are stricter now, because enforcement of HIPAA privacy and security rules at the federal level are much stricter."

Encryption is not specifically required by the initial HIPAA rules or by the HITECH rules, points out Heather P. Wilson, PhD, principal of Weatherbee Resources, a hospice and home health consulting firm in Hyannis, MA. "What has changed is the breach notification requirement that defines a breach as the loss of 500 or more patients' records in an unencrypted format," she says. "If the data are encrypted, there is no breach."

Another change that occurred with the passage of HITECH is increased enforcement, warns Wilson. Prior to the HITECH Act, enforcement of privacy and security requirements was not always consistent, she says. "Smaller organizations often weighed the cost benefits of investing in steps such as encryption versus the chance that you'd have to pay a small fine," she says. "Not only did the HITECH Act increase fines, but it also gave State Attorneys General the power to enforce the rules, which expanded the number of people available for enforcement." For these reasons, the best way to minimize the risk of a data breach is to encrypt all devices that hold patient data, she suggests.

Passwords not enough

One step that many hospices took when the HIPAA Security Rule was first implemented was the use of passwords, but passwords alone are not enough to protect data, warns Brian Payne, chief executive officer at Winston-Salem Hospice and Palliative CareCenter in North Carolina. "All of our computers and smartphones are encrypted so clinicians must use a login name and a password to get into the data," he says. Although the extra steps to access information do add time, employees understand the importance of protecting patient information because the hospice conducts thorough employee education, he points out.

In addition to investing in encryption for all devices used throughout the hospice, the organization also has invested in some features that increase security if the mobile device is stolen, explains Payne. "If a clinician reports the theft of a laptop, tablet, or smartphone, we can erase the hard drive remotely," he says. "Even though encryption protects the data, the ability to delete it gives an additional layer of protection."

Another way to protect patient data on mobile devices is to limit the number of patient records that are stored on the device, suggests Payne. "Our clinicians have the records of the patients they see on a daily basis but they don't have access to the full database throughout the day," he says. The only time clinicians are connected to the hospice's full database is at the end of the day when they connect by telephone line to the main office to synchronize records, or upload the updated records from the day and collect the patient records they will need for the next day, he explains. "By limiting the patient information on the laptop, we further limit our exposure for a breach."

At Henry Ford, the challenge is getting clinicians to remove patient records from their laptops once the patient is discharged, says Solecki. "Some clinicians are better than others at clearing inactive files, so we do have the ability to remotely remove patient files from the devices," he says. "We can remove all records from the device, then the clinician can reload active patient files."

The ability to manage data on a particular device from a remote location is important and can only be achieved if you encrypt information at the system level, points out Solecki. "We started with encryption of the individual laptop hard drives but moved to system encryption to better protect the files," he says. "Although we have not activated all of the features at this time, we will have the ability to remotely shut down the device and even locate a stolen or lost device." Of course, the question that needs to be answered when using a device tracking feature is "who will go get the device?" he admits. "I don't see retrieval of one laptop as a priority for police."

Check mobile devices regularly

The process of adding encryption to every mobile device used by clinicians can be a daunting task because staff members are not in one central location, admits Solecki. "We had originally envisioned a mass encryption effort in which we encrypted all the devices at one time, but we changed our approach to two at a time," he says. This approach makes it possible to lend a clinician a laptop to use while the device is serviced and encryption added, he says. "Of course, all new laptops or smartphones issued to clinicians have encryption upfront."

Staff members at Winston-Salem Hospice are not supposed to use their laptops, tablets, or smartphones for personal use, so when the devices are brought into the information technology department for routine maintenance and software upgrades, the IT staff checks the device carefully, says Payne. "We scan mobile devices to see what types of downloads or changes to software that might increase the risk of losing patient data have been made," he says. By making sure the device is only used by the employee as part of the day-to-day job responsibilities, the hospice minimizes the risk of someone else accessing PHI, he adds.

Flash drives are another mobile device that must be addressed, says Solecki. "Most of our clinicians have no need to copy files to a flash drive, but some people may need data to produce quality benchmark reports, conduct a financial analysis, or analyze data as part of research," he points out. "If a Henry Ford employee needs to use a flash drive to store information, the only approved drive is an IronKey flash drive," he says. Use of one particular, encrypted drive is a system-wide standard and the hospital system provides the devices, he adds.

Encryption can slow a laptop's performance and some clinicians find the use of passwords and logins every time they open their computer to be annoying, but most realize the importance, says Payne. Ensuring a high level of data security also represents a financial commitment, but as Payne points out, "You have to think about the cost of one lawsuit or one significant fine versus the opportunity to prevent the data loss upfront."

Reference

1. Hourihan C. An Analysis of Breaches Affecting 500 or More Individuals in Healthcare. Frisco, TX: Health Information Trust Alliance; August 2010.

Sources

For more information about encryption of mobile devices, contact:

• Brian Payne, Chief Executive Officer, Winston-Salem Hospice and Palliative CareCenter, 101 Hospice Lane, Winston-Salem, NC 27103-5766. Tel: (336) 768-3972; e-mail: brian.payne@hospicecarecenter.org.

• Greg Solecki, Vice President of Henry Ford at Home, 2799 W. Grand Blvd., Detroit, MI 48202. Tel: (313) 874-6535; e-mail: gsoleck1@hfhs.org.

• Heather P. Wilson, PhD, Principal, Weatherbee Resources, 259 North Street, Hyannis, MA 02601. Tel: (508) 778-0008 or (866) 969-7124; fax: (508) 778-8899; e-mail: hwilson@weatherbee.net.