Data security breaches often triggered by carelessness
■ For physicians, a lost smartphone or forgotten laptop can mean a long, arduous process of notifying patients -- and the risk of penalties under HIPAA.
- WITH THIS STORY:
- » 1 stolen laptop equals lots of missing patient data
Often the biggest threat to your practice and patient data is not an outside hacker or a snooping employee -- it's somebody's forgetfulness.
As technology becomes smaller and more portable, it becomes easier to lose. Surveys from a data protection solutions company in 2009 found that in a six-month period, 12,500 mobile devices were left in taxis, and 4,500 USB memory sticks were left in pockets of pants sent to dry cleaners.
Most people -- including those in the security business -- are not protecting the data on their mobile devices. So if the device is lost, the data could be accessed.
"I'm always surprised at the cowboy attitude," said Harry Rhodes, director of practice leadership for the American Health Information Management Assn. "You've got these people who think, 'What are the odds of that happening to me?' And then when it's happening to you, it's too late to do anything."
Just having your phone drop out of your pocket could launch a time-consuming and expensive nightmare of reconstructing data and adhering to fixes mandated under the Health Insurance Portability and Accountability Act.
Provisions in the federal stimulus package have tightened HIPAA notification and enforcement regulations and have made HIPAA violations more costly. For example, the maximum civil penalty from the Dept. of Health and Human Services for a data breach occurring after Feb. 18, 2009, rose from $25,000 to $1.5 million.
So how you do protect yourself from an accidental loss of a device containing sensitive data? Experts recommend two strategies. One is to find a way to handle or store your mobile technology so you can't lose it easily. The other is to make sure the device has security and encryption features that make it next to impossible to access by anyone who happens to find it.
Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, said he has seen a recent increase of health information breaches because of the use of mobile devices. Privacy Rights, a San Diego-based consumer advocacy group focused on educating the public on how technology impacts privacy, is developing a database of all known data breaches in the United States to analyze how each breach occurred, Stephens said.
Credant Technologies, a Dallas-based data protection solutions company, noted in a 2008 survey that although more than a third of health care professionals store patient data on laptops, smartphones and USB memory sticks, most do not adequately secure the data.
Sean Glynn, vice president of product marketing at Credant, said the company surveyed smartphone users at a commuter train stop in 2009. When asked if the data on their phones were encrypted, few said yes. When the same survey was conducted among data security professionals at a trade show, the results were nearly identical.
Credant also performed the studies about mobile devices left in taxis and at dry cleaners. Those covered all devices, not just those owned by health care professionals.
People "might well protect their traditional desktop or laptop PC, but they are always buying these [portable] devices and bringing them in as their own personal devices," Glynn said.
Encrypting the data can eliminate the HIPAA obligation to notify patients of a lost device, under a provision that allows an exception if the data cannot be accessed. But in most cases, encryption is not being done.
The Healthcare Information and Management Systems Society, in a survey released in November 2009, found that despite the strengthening of HIPAA regulations, health care organizations have made relatively few changes to their security policies and procedures. For example, only 39% reported using mobile device encryption.
Rhodes likened people's attitudes towards data security to those of home security systems -- no one thinks it's necessary until something happens.
The Veterans Health Administration, for instance, now requires encryption of all mobile devices and has banned the use of thumb drives after the theft of one from an employee's home in 2006. Rhodes has seen other organizations block USB ports on desktop computers with a plug-in device or a super glue product, preventing data from being exported onto a thumb or flash drive.
He said there also are software packages that can be downloaded onto PDAs or smartphones that allow the users, in the event the device is lost or stolen, to call a phone number that automatically will erase everything from the device. There also are downloadable GPS systems that can help locate a lost device.
Smartphone and thumb-drive users also should use password protection on the devices, experts said. Use of a password to enter the system is just an additional line of defense that should be coupled with encryption -- the most effective means of protection available, they said.
Rhodes said mobile devices often are lost when people are traveling, so simply being more vigilant and aware in places like an airport can help prevent many cases of data loss. For instance, sometimes people set down a laptop bag while flagging a taxi. A thief can run by, grab the bag, then throw it into a waiting car that speeds off. "Always keep the bags on your shoulder," he said.
Laptops also can disappear from security belts at airports, he said, not necessarily from theft but because many computer cases look alike. Experts suggest attaching a business card to the outside of the case.
Another line of defense is to limit the amount of data on a mobile device.
For example, Stephens of Privacy Rights Clearinghouse said he has seen cases of employees who carry an entire company database around with them. One momentary lapse of good judgment, he said, could become an expensive teaching moment.