Protecting PHI on Mobile Devices Not to be taken Lightly

Chandra Bilugu — Mon, 05 May 2014 10:45:35 +0000

Although there has been enough and more said about the importance of encryption in safeguarding protected health information (PHI), data breaches resulting due to lack of encryption seem to still be occurring. Almost every other day there is a new headline about a healthcare institution or a hospital encountering a HIPAA breach. It is disturbing to see that we still see massive numbers of breaches with the root causes continuing to result from the most preventable, avoidable behaviors. While there has been persistent emphasis on the need for conducting risk analysis and encrypting data, there are still many providers who are yet to take these calls for action seriously. Recently occurred incidents have revealed two entities that have had pay the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations.

The failure to analyze risks associated with health information, negligence or irresponsibility in safeguarding protected health information will be inevitably followed by settlements and penalties. This is clearly illustrated in the case of Concentra Health Services (Concentra), where OCR opened a compliance review upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. Investigations reveal that despite Concentra recognizing a lack of encryption on its laptops, other devices containing electronic protected health information (ePHI), incomplete and inconsistent efforts to rectify the same left PHI vulnerable throughout the organization. Further OCR’s investigation revealed that Concentra had insufficient security management processes in place to safeguard patient information, and consequently had to pay OCR $1,725,220 to settle potential violations.

Breaches involving thefts of unencrypted computers clearly indicate that lack of encryption remains one of the top reasons for data breaches. Susan McAndrew, OCR’s deputy director of health information privacy, emphasizes that encryption is your best defense against these incidents. Every covered entity and business associate needs to understand that mobile device security is a crucial obligation. However, stolen or lost unencrypted mobile devices keep on posing a significant threat to healthcare entities. Take the example of QCA Health Plan, Inc. of Arkansas. OCR received a breach notice in February 2012 reporting the theft of an unencrypted laptop computer containing the ePHI of 148 individuals from a workforce member’s car. Further OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, thus resulting in a $250,000 monetary settlement.

What these incidents repeatedly remind us is that protecting patient health information, serious continual effort is crucial. Firstly, healthcare entities should know that encryption is a must, and that one good reason to get the encryption program started soon is the HIPAA Omnibus Rule, which necessitates encryption. Covered entities should remember that non-compliance under the HIPAA Omnibus rule can attract penalties.

Comprehensive security solutions such as Aegify Security Posture Management and Aegify SecureGRC can facilitate meeting this ongoing requirement. With built-in policies, procedures, and frameworks for HIPAA compliance, these security solutions can greatly simplify the process of compliance and dramatically improve the security posture of healthcare entities.

The post Protecting PHI on Mobile Devices Not to be taken Lightly appeared first on Aegify.

HIPAA Breaches – Aegify

Protecting PHI on Mobile Devices Not to be taken Lightly