Are you a risk taker? Is “let the chips fall where they may” your motto in life? Perhaps throwing caution to the wind is a great way to live when you have nothing to lose, but as the custodian of patient data this type of behavior is risky and could result in serious repercussions.
Unless you’ve just landed on earth from an alien vessel or you’ve been comatose for the last 15 years, you’ve undoubtedly heard of this HIPAA thing. HIPAA, formally known as The Health Insurance Portability and Accountability Act of 1996, is largely the gospel when it comes to the rules governing the management of patient health data. The HIPAA law and regulations are coupled with the HITECH Act (Health Information Technology for Economic and Clinical Health) to dictate how patient data is kept private and safeguarded from breaches.
While volumes could be written on what these laws entail, one critical piece to the patient privacy protection puzzle is keeping data safe and secure. Clearly, electronic patient data housed on a health care agencies server parked in a local data center can fairly easily be secured through physical barriers, but that is probably the least of a provider’s worries. As health care services are increasingly delivered in remote locations using those handy mobile devices, patient data is at greater risk of being lost, stolen, or otherwise susceptible to unauthorized viewing. So what weapons can agencies use to best combat invasions of privacy and data breaches? The lists are long and the advice out there is diverse, but clearly one of the first lines of defense in this ongoing effort is encryption, especially device encryption.
You need only to browse the Internet for articles with keywords “breach” and “laptop” and you’ll see immediately the magnitude of this issue. The horror stories are endless of laptops being stolen or lost leading to the exposure of protected health information of between 200 to upwards of 10,000 patients. No one is immune and it only takes one nurse’s bad day or careless mistake to put your agency in jeopardy and start the ball rolling on the process for reporting such a breach. While there is little that can be done to protect the well-being of this mobile data once the devices are walked out the door, an agency and its leaders MUST make every effort to implement sound security policies that include an encryption solution.
Encryption may involve an initial investment of time and money, but the dividends in a situation where a device has been compromised are priceless. According to a Risk Assessment Toolkit released by the Healthcare Information and Management Systems Society (HIMSS), agencies should weigh a number of factors when planning and executing a risk assessment, but clearly encryption is one of the primary mechanisms to safeguard data. Their published tool notes that while possibly one of the key levels of protection, encryption should be coupled with other internal policies that dictate how users should handle protected health information. The tool further goes on to note that while some encryption solutions come with a healthy price tag there are some more modestly priced or free solutions available in the market, including options from Microsoft, the open source tool TrueCrypt, and several other vendors.
Ultimately, if not part of your company’s security strategy now, then when? Encryption needs to be front and center when you assess your security risk and target resources to dedicate to protecting your patient data. While there are no magical calculators that will quantify what your ROI might be for moving forward with an encryption policy and solution, are you really ready to take the risk? What will the cost be when you get the call that a nurse’s laptop is MIA? Will it be too late at that point? Can you afford the damages such a breach will cost to your business? Are you prepared to pay now or later? These are all questions you should be considering, but perhaps it doesn’t matter to you. If so, I’d say indeed you are a risk taker…so buckle up and be prepared for the ride.