The objective of encryption is to provide confidentiality protection for information. Since encryption is now provided either out-of-the-box or through add-on products, this no- or low-cost solution can significantly reduce the likelihood of breaches from occurring on mobile devices.† Encryption is available and enabled by default on iPhones, iPads and Windows Phone 8 and RT devices. Itís also built into BlackBerry and Android devices. BitLocker Drive Encryption became available in 2009 as part of the Windows 7 operating system.†
Yet healthcare organizations still seem to struggle with implementing encryption on mobile devices. Why?†
The HIPAA breach notification rule isnít new. Forty-seven†states, the District of Columbia, Guam, Puerto Rico†and the Virgin Islands have enacted breach laws that require notification if non-encrypted data is exposed on a lost or stolen device. And reported breaches continually demonstrate the importance of encryption. So lack of awareness isnít the issue.
In my experience, the primary drivers preventing the widespread implementation of mobile device encryption are a combination of competing priorities and a lack of leadership and staffing resources to make it happen.†
Not all data needs to be encrypted, which may lead some to put off the security task. But there shouldnít be any †slack when it comes to encrypting any non-public personal information such as Social Security numbers, dates of birth, credit cards and other financial information and, of course, patient information. As a general rule, you should encrypt what you donít believe is safe with your existing access controls and other safeguards.
Ensuring encryption is adequately implemented falls to healthcare leaders Ė both on the business and IT sides of the organization. Doing a management assessment of the current state of encryption on all an organizations mobile devices is a good first step. This includes organizationally provisioned as well as personally owned devices that handle confidential information. If encryption is not enabled on these devices, then determine how best to implement encryption or disallow their access to confidential information. It may simply be a matter of enabling encryption on existing technologies. Healthcare organizations still using the Windows XP operating system, which lacks encryption functionality, should minimally migrate to Windows 7.††
HIPAA and the Payment Card Industry (PCI) standard require confidential information to be protected from unauthorized use or disclosure no matter where it is. This means that if any of this data ends up on a mobile device, then it must be protected. Therefore, the goal state should be to have encryption enabled on all mobile devices.
The primary lesson to be learned is that the cost of encrypting mobile devices is far less than the cost of a data breach and mitigation as well as potentially being fined, penalized or sued.† Consider: †last week the HHS Office for Civil Rights fined Concentra Health Services $1.7 million and QCA Health Plan $250,000 for their data breaches.