HIPAA Laptop Encryption: Riverside County Regional Medical Center Loses Laptop.

Riverside County Regional Medical Center, in California, has reported the loss of another laptop computer from hospital grounds.  It is the second such incident for 2014 – the first occurring in June and the latest one in December – and yet another episode that could have been prevented with the use of HIPAA-compliant security tools like AlertBoot’s web-managed disk encryption software.

Nearly 8,000 Affected

According to abc7.com, the computer was reported missing on December 1st, 2014.  The laptop computer affected nearly 8,000 people who had visited the ophthalmology and dermatology departments between January 2012 and November 2014.

It included personal information such as names, addresses, SSNs, dates of birth, diagnoses, and health plan numbers.

Laptops Now Being Encrypted

In addition to the above, a hospital representative noted that “there is no reason to believe the laptop’s patient-related files were accessed or used in any way” and that “all laptops are now being encrypted to safeguard patient data.”

That last statement is a bit nebulous: are laptops now being provisioned with encryption software as a consequence of the latest data breach? (The time elapsed between the breach’s report and the date of the article is approximately two months.)

Or, is it a continuing effort based on the breach that occurred earlier in 2014?  If the latter, then Riverside can be perhaps excused for the latest incident.  The deployment of encryption solutions across a large swathe of devices is an arduous effort.  Planning, setting requirements, piloting solutions, more planning, finalizing the procurement process, and then actually diving into the technical deployment itself can take many months.

On the other hand, if Riverside is reacting to the December breach, it provides a reason for less leniency when it comes to public opinion: why did they wait for a second data breach to conclude that they needed laptop encryption?  Did they think that the first data breach was an accident?

Ignoring Encryption in California Not a Good Idea

If you are a HIPAA covered entity, it’s a bad idea to not encrypt laptops and other digital data storage devices (assuming it’s not possible to do so technically, which in turn happens to be a virtual impossibility in this day and age.  Data security concerns are so high that devices now come pre-encrypted).  This is because HIPAA/HITECH provides a way out from reporting data breaches if the lost data happens to be encrypted.

Not using encryption, however, is a doubly senseless attitude if you happen to be in California, which is arguably the state with the most stringent data security and data breach laws.  Again, the use of encryption provides safe harbor.

Under the circumstances, the use of encryption on laptops is a no-brainer: you know there’s a security problem (the first laptop theft proved that), and you know that, short of locking down the hospital, the odds of another similar incident occurring is anything but 0%.  The only logical move is to encrypt, especially when the law is incentivizing you to do so.

Related Articles and Sites:

Comments (0)

Let us know what you think