Powerful Encryption AmmunitionTale of Two Breaches Illustrates Value
After Sunbridge Healthcare Corp. reported the theft of a laptop containing patients' health information in May, it announced plans to make sure all laptops issued to employees are encrypted.
But guess what? About one month later, the national chain of long-term care and rehab facilities reported the theft of an unencrypted BlackBerry containing patient information. In a statement about that incident, encryption came up again. "The company has encrypted and password-protected all Blackberry personal digital assistants and has reinforced with all the staff the proper protocols required to maintain the security of personal information."
Is it really essential that so many clinicians store patient information on their computer devices?
Sunbridge had to report both incidents to those who may have been affected, as well as federal authorities, as required under the HITECH Act. But that would not have been necessary if the devices were encrypted.
Remember, under the HITECH Act interim final breach notification rule, breaches involving information that's encrypted to an appropriate standard don't have to be reported.
Educating executives who control the IT budget at your organization about the "safe harbor" encryption provision is a good idea. But making them aware of what can go wrong if a computer device containing patient information is lost or stolen is an even more powerful way to illustrate the value of encryption.
And the U.S. Department of Health and Human Services' Office for Civil Rights' list of major breaches contains dozens of other examples of incidents involving lost or stolen laptops, PDAs, thumb drives and even desktop PCs.
Reporting breaches is expensive. Sunbridge, for example, is offering those who may have been affected by recent breaches free ID protection services.
Christopher Hourihan, manager of development and programs at the Health Information Trust Alliance, estimates the cost of dealing with the aftermath of all the major breaches reported to federal authorities so far could hit $1 billion. He bases his estimate on the Ponemon Institute's calculation of an average of $204 in costs for every compromised record, across all industries.
Dozens of healthcare information breaches involving the theft of devices. An average cost of $204 for every compromised record. What's it all add up to? Powerful evidence that encryption is a worthwhile investment.
But if you're looking for a way to limit the size of your encryption investment, consider this: Hourihan argues that healthcare organizations should carefully consider just how much patient information, if any, should be stored on portable devices and media or even desktop PCs.
Is it really essential that so many clinicians store patient information on their computer devices? Food for thought.