Stolen Devices a Persistent ProblemBreach Tally Spotlights Risks Posed by Lack of Encryption
The latest updates to the federal tally of major health information breaches confirm that the loss and theft of unencrypted devices continue to plague the industry.
Eight of the 10 incidents added to the tally in the past month involved lost or stolen unencrypted computing devices, including six laptop thefts. Since federal regulators began tracking major breaches in September 2009, about 54 percent of incidents have stemmed from lost or stolen unencrypted devices or storage media.
Many organizations have yet to encrypt all laptops containing patient information because of misperceptions about the cost involved and the potential impact on computer performance, some observers say. And device thefts are often the result of carelessness or a lack of awareness of security risks.
As federal authorities continue to ramp up HIPAA enforcement efforts with hefty penalties for non-conformance, however, there is more pressure on organizations to take more steps to protect patient data (see: Another Big Fine After a Small Breach).
Also, encryption provisions in the rules for Stage 2 of the HITECH Act electronic health record incentive program - including a requirement that EHRs automatically encrypt data stored on end-users' devices, could help cut down on breaches. But those rules don't kick in until 2014.
Breach Statistics Update
The 10 breach incidents added to the Department of Health and Human Services' Office for Civil Rights tally in the past month affected 155,000 individuals. Since September 2009, when the HITECH breach notification rule took effect, 499 major breaches affecting 21.2 million have been posted. OCR adds incidents affecting 500 or more individuals to the list once it confirms the details.
So far, OCR has posted about 89 incidents that occurred in 2012. Those affected slightly more than 2 million individuals.
Among the incidents recently added to the tally are:
- A case involving a stolen unencypted laptop stolen containing data on 66,000 patients at Howard University Hospital. When the January incident was first reported, only about 34,000 patients were thought to be affected. The laptop was the personal device of a contractor who downloaded the files in violation of the hospital's policies.
- A breach involving a lost thumb drive containing data on almost 2,300 patients of the University of Texas MD Anderson Cancer Center. The July 2012 incident involved an employee leaving the storage drive on one of the Houston cancer center's shuttle buses. This was the second incident listed on the tally for MD Anderson this year, the first being a stolen, unencrypted laptop containing data on more than 29,000 patients (see: Cancer Center Reports 2nd Data Breach ).
Charles Christian, CIO at Good Samaritan Hospital, in Evansville, Ind., believes that breaches involving unencrypted devices are common, in part, because some resource-squeezed healthcare providers are reluctant to invest in encryption. "There's a lot of overhead, there are annual costs," he says.
Nevertheless, his organization has encrypted computers as well as storage devices. "It's an extra expense, but it's like insurance," he says. Plus, most of Good Samaritan's laptops are tethered to nursing carts or desks to help guard against theft. And in certain areas, such as the registration desk, the hospital uses thin clients that don't store data.
"Virtualization or the use of thin clients is something healthcare organizations need to consider," he says.
The hospital also restricts what can be stored on encrypted USB drives. "We have endpoint protection that has very granular control on what can be saved on thumb drives," he says.
If physicians use a mobile device to access records remotely, "nothing gets saved on the laptops," he says. That way, there's no data at risk if the device is stolen.
Too many organizations have misperceptions about the cost of encryption and its impact on computer performance, says Dixie Baker, a member of the HIT Policy Committee's Privacy and Security Tiger Team, which advises regulators. She stresses that the cost of encryption has dramatically declined and notes that the latest encryption technology no longer adversely affects the performance of computer drives.
"People who have had full-disk encryption will tell you that after the initial encryption, you can't tell [that device is encrypted,]" says Baker, who recently joined the consulting firm Martin, Blanck and Associates as a partner.
One reason that there are so many major breaches involving unencrypted stolen or lost devices, Baker believes, is that those incidents are more easily detected than hacker attacks.
"It's harder to detect a malicious attack. But when something is stolen or lost, a company has historically tracked physical devices, with inventory," she says. Or, if someone has a laptop stolen from a car, "that's easily noticed too."