Data security breaches often triggered by carelessness

For physicians, a lost smartphone or forgotten laptop can mean a long, arduous process of notifying patients -- and the risk of penalties under HIPAA.

By — Posted Feb. 22, 2010

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Often the biggest threat to your practice and patient data is not an outside hacker or a snooping employee -- it's somebody's forgetfulness.

As technology becomes smaller and more portable, it becomes easier to lose. Surveys from a data protection solutions company in 2009 found that in a six-month period, 12,500 mobile devices were left in taxis, and 4,500 USB memory sticks were left in pockets of pants sent to dry cleaners.

Most people -- including those in the security business -- are not protecting the data on their mobile devices. So if the device is lost, the data could be accessed.

"I'm always surprised at the cowboy attitude," said Harry Rhodes, director of practice leadership for the American Health Information Management Assn. "You've got these people who think, 'What are the odds of that happening to me?' And then when it's happening to you, it's too late to do anything."

Just having your phone drop out of your pocket could launch a time-consuming and expensive nightmare of reconstructing data and adhering to fixes mandated under the Health Insurance Portability and Accountability Act.

Provisions in the federal stimulus package have tightened HIPAA notification and enforcement regulations and have made HIPAA violations more costly. For example, the maximum civil penalty from the Dept. of Health and Human Services for a data breach occurring after Feb. 18, 2009, rose from $25,000 to $1.5 million.

So how you do protect yourself from an accidental loss of a device containing sensitive data? Experts recommend two strategies. One is to find a way to handle or store your mobile technology so you can't lose it easily. The other is to make sure the device has security and encryption features that make it next to impossible to access by anyone who happens to find it.

Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, said he has seen a recent increase of health information breaches because of the use of mobile devices. Privacy Rights, a San Diego-based consumer advocacy group focused on educating the public on how technology impacts privacy, is developing a database of all known data breaches in the United States to analyze how each breach occurred, Stephens said.

Credant Technologies, a Dallas-based data protection solutions company, noted in a 2008 survey that although more than a third of health care professionals store patient data on laptops, smartphones and USB memory sticks, most do not adequately secure the data.

Sean Glynn, vice president of product marketing at Credant, said the company surveyed smartphone users at a commuter train stop in 2009. When asked if the data on their phones were encrypted, few said yes. When the same survey was conducted among data security professionals at a trade show, the results were nearly identical.

Credant also performed the studies about mobile devices left in taxis and at dry cleaners. Those covered all devices, not just those owned by health care professionals.

People "might well protect their traditional desktop or laptop PC, but they are always buying these [portable] devices and bringing them in as their own personal devices," Glynn said.

Encrypting the data can eliminate the HIPAA obligation to notify patients of a lost device, under a provision that allows an exception if the data cannot be accessed. But in most cases, encryption is not being done.

The Healthcare Information and Management Systems Society, in a survey released in November 2009, found that despite the strengthening of HIPAA regulations, health care organizations have made relatively few changes to their security policies and procedures. For example, only 39% reported using mobile device encryption.

Rhodes likened people's attitudes towards data security to those of home security systems -- no one thinks it's necessary until something happens.

The Veterans Health Administration, for instance, now requires encryption of all mobile devices and has banned the use of thumb drives after the theft of one from an employee's home in 2006. Rhodes has seen other organizations block USB ports on desktop computers with a plug-in device or a super glue product, preventing data from being exported onto a thumb or flash drive.

He said there also are software packages that can be downloaded onto PDAs or smartphones that allow the users, in the event the device is lost or stolen, to call a phone number that automatically will erase everything from the device. There also are downloadable GPS systems that can help locate a lost device.

Smartphone and thumb-drive users also should use password protection on the devices, experts said. Use of a password to enter the system is just an additional line of defense that should be coupled with encryption -- the most effective means of protection available, they said.

Rhodes said mobile devices often are lost when people are traveling, so simply being more vigilant and aware in places like an airport can help prevent many cases of data loss. For instance, sometimes people set down a laptop bag while flagging a taxi. A thief can run by, grab the bag, then throw it into a waiting car that speeds off. "Always keep the bags on your shoulder," he said.

Laptops also can disappear from security belts at airports, he said, not necessarily from theft but because many computer cases look alike. Experts suggest attaching a business card to the outside of the case.

Another line of defense is to limit the amount of data on a mobile device.

For example, Stephens of Privacy Rights Clearinghouse said he has seen cases of employees who carry an entire company database around with them. One momentary lapse of good judgment, he said, could become an expensive teaching moment.

Back to top


1 stolen laptop equals lots of missing patient data

A recent case involving one physician, one laptop, two hospitals and 7,000 patients shows how data on the move can risk a security breach.

The case concerned a doctor who transferred to the University of California, San Francisco School of Medicine, from Beth Israel Deaconess Medical Center in Boston. He owned a laptop that still contained data on 2,900 BIDMC patients.

He used that laptop at UCSF, collecting data on another 4,400 patients. The laptop was stolen on Nov. 30, 2009.

The data did not include Social Security numbers or financial information, and there are no indications of unauthorized access. But both hospitals are in the process of sending notices to all patients whose data were on the laptop.

Whether it's from loss or malicious theft, storing data on mobile devices is the biggest threat to health care information, because the more mobile the data are, the more chances they can get misplaced, experts said. Many health care organizations have banned downloading data onto mobile devices or have blocked or disabled USB ports where devices can be hooked up to transfer data.

Both UCSF and BIDMC said they were reviewing their policies on using mobile devices, including laptops, because of the incident.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story