There is this theory among the HIPAA security crowd that education is as effective as technical solutions, or that it can be even more important. While not wrong, it depends on what you’re looking at. At the end of the day, it’s the technical solutions that will do the heavy lifting when it comes to securing PHI data. It’s also what will increase compliance rates, as the following story illustrates.
Cedars-Sinai Health System Employee Laptop Theft
According to information filed with the California Attorney General’s office, Cedars-Sinai suffered a data breach when an employee’s laptop was stolen from his (or her) home (from phiprivacy.net):
The laptop, which was used by the employee for troubleshooting software used for clinical laboratory reporting, was stolen along with personal items of the employee in a June 23 burglary at the employee’s home. (The employee’s duties included being available outside of normal business hours to troubleshoot software problems as they occurred, which is why the laptop was at the home.)
As far as I can see, all indications point towards the person being a Cedars-Sinai employee, as opposed to being an outside contractor. Whether the stolen laptop was the employee’s own or a work-issued machine is not readily apparent, although I see suggestions that it might be the latter. However, the hospital did admit that HIPAA laptop encryption was not used to secure the computer.
But what I really want to point out is this: data security education can only go so far.
Even Professionals Make Mistakes
Why was encryption software not used? Perhaps the laptop was a personal one, so Cedars-Sinai couldn’t touch it. Or perhaps it was a Cedars-Sinai laptop but it fell through the cracks when it came to encrypting it (the most likely answer). Or perhaps a commonly made argument was used (not likely in this particular case): because HIPAA doesn’t require the use of encryption, it wasn’t. Instead, employees were made to read and sign computer usage policies, and periodic data security sessions were held as an alternative to a technical solution.
You know, stuff like: employees are not authorized to take PHI, in any form, off the clinic’s / hospital’s / research center’s /what-have-you premises. The idea is that employees won’t do so, especially if they’re educated about the potential risks.
The problem is, education is not the problem. Who could be more cognizant of the potential for a data breach, and the ensuing ramifications, than a guy who works in the hospital’s IT department? And, yet, here we are today, reading about it.
Education has its place, but it tends to work better as a secondary or auxiliary option. For example, use encryption to secure laptops but make sure that employees understand they shouldn’t share passwords (in fact, don’t give them a reason to: give everyone their own access IDs) nor display them as notes or Post-Its attached to the device in question.