It’s being reported that the “hard drive from a computer” has been stolen from Upper Valley Medical Center. Thankfully, patient information was not present on the missing device, but it’s grounds for reviewing the question: why is it, again, that HIPAA-covered entities are not required to use drive encryption software like AlertBoot?
Nicked at Night
The site newstalkradiowhio.com reports that a man (featured in a security cam video) is a suspect in the theft of the missing hard drive, which was “stolen shortly after 10 pm Wednesday from the patient admitting area off the main lobby at the hospital.”
Based on the context of the story, it sounds like the thief popped open a desktop computer, unplugged the internal hard disk, and made his way out of the hospital, as opposed to stealing an external hard drive.
Now, theft of computer equipment from hospitals is nothing new. Neither is the loss of hard drives. But, such thefts are a result of someone purloining something that’s just lying around. This is the first time that I’ve actually heard of where someone saunters into a hospital, takes the time to disconnect wires, and saunters back out with the goods in his…pockets (I’m guessing here because the video of the suspect shows him walking empty-handed. I have a 5.5″ internal drive next to me, and it’s about the size of a NOOK Simple Touch).
Was this stolen drive protected with hospital data encryption? It’s a moot point, really, because there wasn’t any patient data on it (or, at least, that’s what the folks at Upper Valley think. It wouldn’t be the first time that a deeper inspection of backups reveals that a PHI was taken).
But, this again makes me wonder: why is the use of encryption software not required under HIPAA guidelines?
Related Articles and Sites: