APR 30, 2014 11:19am ET

Why Healthcare Struggles with Mobile Device Encryption


Just consider the following three cases: Advocate Health Care experienced the second biggest HIPAA data breach in the nation after four unencrypted laptops were stolen from its facility, compromising the personal health information of more than 4 million people; Concentra Health Services had an unencrypted laptop stolen from its Springfield Missouri Physical Therapy facility; QCA Health Plan reported that an unencrypted laptop containing files on 148 people was stolen from a worker’s car. 

The objective of encryption is to provide confidentiality protection for information. Since encryption is now provided either out-of-the-box or through add-on products, this no- or low-cost solution can significantly reduce the likelihood of breaches from occurring on mobile devices.  Encryption is available and enabled by default on iPhones, iPads and Windows Phone 8 and RT devices. It’s also built into BlackBerry and Android devices. BitLocker Drive Encryption became available in 2009 as part of the Windows 7 operating system. 

Yet healthcare organizations still seem to struggle with implementing encryption on mobile devices. Why? 

The HIPAA breach notification rule isn’t new. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted breach laws that require notification if non-encrypted data is exposed on a lost or stolen device. And reported breaches continually demonstrate the importance of encryption. So lack of awareness isn’t the issue.

In my experience, the primary drivers preventing the widespread implementation of mobile device encryption are a combination of competing priorities and a lack of leadership and staffing resources to make it happen. 

Not all data needs to be encrypted, which may lead some to put off the security task. But there shouldn’t be any  slack when it comes to encrypting any non-public personal information such as Social Security numbers, dates of birth, credit cards and other financial information and, of course, patient information. As a general rule, you should encrypt what you don’t believe is safe with your existing access controls and other safeguards.

Ensuring encryption is adequately implemented falls to healthcare leaders – both on the business and IT sides of the organization. Doing a management assessment of the current state of encryption on all an organizations mobile devices is a good first step. This includes organizationally provisioned as well as personally owned devices that handle confidential information. If encryption is not enabled on these devices, then determine how best to implement encryption or disallow their access to confidential information. It may simply be a matter of enabling encryption on existing technologies. Healthcare organizations still using the Windows XP operating system, which lacks encryption functionality, should minimally migrate to Windows 7.  

HIPAA and the Payment Card Industry (PCI) standard require confidential information to be protected from unauthorized use or disclosure no matter where it is. This means that if any of this data ends up on a mobile device, then it must be protected. Therefore, the goal state should be to have encryption enabled on all mobile devices.

The primary lesson to be learned is that the cost of encrypting mobile devices is far less than the cost of a data breach and mitigation as well as potentially being fined, penalized or sued.  Consider:  last week the HHS Office for Civil Rights fined Concentra Health Services $1.7 million and QCA Health Plan $250,000 for their data breaches.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

Blog Archive for Brian Evans

Have You Assessed Your Incident Response Program Lately?
3 Ways to Secure Healthcare’s Biggest IT Vulnerabilities
Building A Security-Aware Culture
Overcoming Vulnerability Management Challenges
Are You Measuring Your Security Program’s Effectiveness?

More from Brian Evans »

Blog Index »

loading time...
Sponsored by

Stay Connected


Providers have ideas for software vendors and regulators on how to make the next stage of meaningful use a bit more realistic.

Already a subscriber? Log in here
Please note you must now log in with your email address and password.