As most of our health care Clients are probably already aware, a VNA here in Connecticut was in the news recently and it wasn’t good news. A nurse’s laptop was stolen from her car. The laptop contained information on around 12,000 patients.
Almost immediately, we started getting inquiries from some of our health care Clients asking about the security of their laptops. I decided to write this blog post to respond to these inquiries in a fashion that will hopefully help all our health care Clients.
First, laptops should be encrypted. Encryption insures that if a laptop is stolen or lost the information on the hard drive cannot be accessed by taking the drive out of the laptop and trying to access it in another device. Having a laptop encrypted means that if a laptop is stolen or lost you would not have to report it as required by HiTech/HIPAA.
Covered entities and business associates must only provide the required notification if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance.
We use TrueCrypt, a free open source encryption tool to encrypt devices. There are some things to know about encrypting laptops. First, it is time consuming. Encrypting a brand new laptop can take 2 or more hours depending on the size of the hard drive and the speed of the laptop. It can take 4 or more hours on an older laptop. It can also affect the performance of the laptop, especially older laptops that are already running slow. Once the laptop is encrypted, the user will need to enter two passwords to start the laptop up. (there are several variations on how data can be encrypted) If the encryption key is lost, the data on the laptop is lost (we have processes in place to make sure the key is not lost)
Now come the hard facts. A large portion of the laptops we work on have the password attached to the laptop somewhere. Do you know if that is happening in your practice? If the password is exposed you have no security, even if the laptop is encrypted. Also, if the device is left logged on when it is being moved from location to location, you don’t have security either. If the laptop is lost or stolen, one simply needs to open the laptop and all the data is exposed. Again encryption doesn’t matter.
We have been getting inquiries as to whether an organizations laptops are encrypted or not. While this is a good question to ask, I’m afraid that you should already know the answer to the question. Also, this is not the only question to ask. What are your security policies relative to the laptops and your EPHI in general? Are your nurses and other staff aware of the policies and are they following them? What are the consequences if they don’t follow them. What happens if there is a breach? Does everyone in your organization know what the protocol is? If the media is asking questions, do you have a protocol in place? When was the last time you changed passwords? Do you have an inventory of all your devices? How often is it checked to see if anything is missing? etc., etc.
Unfortunately, security and ease of use are not synonymous. Security can be painful. We have to remember complex passwords and follow rules that make our jobs just a little more difficult. However, it is imperative that security be taken seriously today, in our personal and professional lives. We do not want to be the next security related news story.
Feel free to contact us if you would like to review your security status.
