HealthLeaders Media has an interview with a former senior advisor at the OCR, the Office for Civil Rights, who has revealed the “top areas of interest” on HIPAA issues. While you might think that laptop encryption software like AlertBoot only covers point #5 below, it actually covers more than that.
Incident detection and response
Review of log access
Secure wireless network
Management of user access and passwords
Theft or loss of mobile devices
Role-based – lack of access management
Hospital Laptop Encryption Proof and Other Issues
Encryption software is not a silver bullet against all data ills. In fact, it can only protect you against a very thin (but also very important) slice of your data breach pie. For example, disk encryption for medical laptops only protects patient data when the device is in the “off” position at the time it is lost or stolen. Compare that to all the numerous ways in which you can have a data breach (including the theft of a laptop that’s up and running), and it looks like disk encryption is extremely limited in what it does.
On the other hand, if you consider that lost or stolen digital data storage devices account for over 60% of all medical data breaches, then you understand why disk encryption plays an important role in keeping your PHI safe.
But, the use of encryption is not the end of it. Sometimes, the use of encryption can force HIPAA breaches. For example, if your staff share passwords, that is a breach of the HIPAA “access control” rule (#4, #7). So, you must ensure that everyone gets their own username and password to encrypted devices (such as computers at a nurses’ station).
Furthermore, if something does go awry, then chances are you’ll have to be able to prove that a device was protected (#1, #2). Knowing that you encrypted it and proving that you encrypted it are two different things. You could keep a written record, but will it be enough?
Managed Encryption to the Rescue
This is where a managed encryption package like AlertBoot shines. First off, our encryption software uses the cloud to do its deployment. Due to this characteristic, it also requires forward-looking ways to track which computers are encrypted, which has led to the integration of an advanced reporting engine.
Not only does this mean that a hospital’s IT department (or in some cases, the lone IT guy) can easily and quickly manage numerous encryption installations, it also means that a log can be kept of the current encryption status of a computer. In return, that means that if a computer was encrypted five years ago, you can see that (and later prove) that the computer was still encrypted as of last night.
And, if you see that a machine has switched its status, you can also get on top of it (although, I have to confess that this would be impossible in AlertBoot unless initiated by an administrator).
The encryption also supports multiple usernames and passwords attached to one computer, meeting the requirements for access control and management. Plus, extended security for USB devices can be offered via the “automatic encryption setting,” where any storage devices connected to an encrypted computer are also encrypted