With the Final Omnibus Rule coming into effect on September 23, 2013, I have to wonder how HIPAA covered entities can possibly still be embroiled in cases like that of Retinal Consultants Medical Group. The organization has notified patients that a laptop computer was stolen from their premises. While the use of ePHI laptop encryption would have prevented the burglary from turning into a data breach, the company decided not to do so (and is now investigating into ways of further securing their laptops).
Laptop Hooked to a Diagnostic Machine
The people at Retinal Consultants Medical Group should be given a break. The laptop that was stolen was a component of a diagnostic imaging machine, which makes securing it with encryption software a little tricky.
It’s a laptop full of patient data, yes. But, it’s also a component of a bigger machine/instrumentation. If the imaging device was not designed to work with an encrypted laptop, it only makes sense not to secure the computer’s data with a third-party security solution: it would cripple the entire system, rendering it useless.
On the other hand, there are plenty of devices out there where it doesn’t matter whether full disk encryption is used or not because they’re running on top of a generic OS like Windows XP or whatever. This keeps costs low (or lower) because the manufacturer doesn’t have to pour funds into something that they’re not experts in and will probably come out half-baked, over budget, and unappreciated. Was this the case with RCMG?
If so, they really ought to rethink their approach to laptop security. Increasing physical security is always a good idea but less effective when it comes to curbing data breaches. If their devices are running on Windows, plenty of solutions exist for securing their devices from future data breaches.
To Err is Human, to Encrypt is Deva…statingly Effective Against Data Breach Complications
The use of data security solutions is generally more cost-effective when it comes to data breach prevention. Plus, there’s additional benefits to their use like safe harbor from the HIPAA / HITECH Breach Notification Rule, which compels covered entities and their business partners to essentially publicize data breaches to the public at large.
Other than cost, there is really no reason not to deploy encryption on all laptop computers. But, even from a cost perspective, encryption software makes sense. How much will your company pay for lawyers, first class mail, outside consultants, toll-free numbers, credit monitoring services, and other costs associated with a data breach? What will the HHS charge you as a fine? How much time will employees lose to audit demands? What about patient churn? When all of these are added up, encryption on laptops could very well turn out to be the least expensive choice.