Thomas Jefferson University Hospitals (TJUH) has announced a medical data breach today. Approximately 21,000 patients are affected because a laptop was stolen from the hospital’s premises. Disk encryption software was not used to safeguard the contents of the laptop.
On June 14 (the breach notice was posted on July 23, so a month after the original breach), a university hospital employee alerted security personnel that his personal laptop was stolen from an office. This personal laptop contained protected health information (PHI, or what patient information is called under HIPAA) for 21,000 people who received inpatient care at TJUH over a six-month period in 2008.
The university forbids the storage of protected health information (PHI, or what patient information is called under HIPAA) on non-university issued computers, a policy that the employee didn’t follow.
The PHI included consists of names, dates of birth, gender, ethnicity, diagnosis, SSNs, insurance information, hospital account number, and other internal codes.
The employee had turned on password-protection on his device; however, this is not considered to be adequate protection. (TJUH’s security breach notice keeps emphasizing the lack of encryption software on the machine for a reason.)
Allowing Personal Laptops in the Workplace
One thing I noticed about the breach notice’s contents is that, while saving PHI to non-university devices is prohibited, it was never mentioned whether it was also forbidden to bring in and use a personal laptop in a hospital setting
Personal machines being used in the workplace are a missed blessing. On the one hand, it could conceivably lower the hospital’s own costs and increase productivity, since a new machine doesn’t have to be issued to an employee and the employee doesn’t require retraining on that new machine. I’m assuming, naturally, that one knows how to navigate one’s own computer.
I’m also reminded of an experience I had in grad school: I was dealing with an inordinate amount of information for a spreadsheet. I needed to create some graphs using this information and it took forever to graph them in the computer labs. In fact, some machines were underpowered to the point that they would hang up. I could either try to gain access to the computer science department’s machines (not a CS major) or use a personal device. I chose the latter.
If an employee is issued a dinosaur of a computer, it’s not inconceivable that he would bring in his own device just to be a good trooper and finish his task.
On the other hand, it does mean an increased risk of a data security breach for a number of reasons:
The employees’ machines may be infected with malware that now has access to the workplace’s network, effectively invalidating the organization’s firewalls;
There’s probably no automated backup for personal machines, meaning that there is a loss of work if a computer malfunctions;
Troubleshooting, if extended to personal devices, would be nearly impossible with everyone’s own configurations (one way to ease troubleshooting queries is to have everyone use the same machine); etc.
Ultimately what it comes down to is: there is a lack of control. While ruling an organization’s IT realm with an iron fist tends to work contrary to an organization’s interests, keeping it loosey-goosey does so as well.
Using Data Encryption Software on Personal Devices?
Theft is not the underlying problem here. If one assumes that a TJUH computer had been stolen from the same office, it wouldn’t have resulted in an information data breach because, as the hospital implies, all TJUH laptops are protected with an encryption solution such as something similar to AlertBoot managed encryption. (Plus, one’s got to face up to reality that things will be stolen from any open environment like a hospital setting.)
So, perhaps, having personal computers encrypted by the hospital would make sense? After all, if an organization is not going to frown on it, they should do the minimum to support it–at least, when it comes to data security.
Related Articles and Sites: