Just consider the following three cases: Advocate Health Care experienced the second biggest HIPAA data breach in the nation after four unencrypted laptops were stolen from its facility, compromising the personal health information of more than 4 million people; Concentra Health Services had an unencrypted laptop stolen from its Springfield Missouri Physical Therapy facility; QCA Health Plan reported that an unencrypted laptop containing files on 148 people was stolen from a worker’s car. 

The objective of encryption is to provide confidentiality protection for information. Since encryption is now provided either out-of-the-box or through add-on products, this no- or low-cost solution can significantly reduce the likelihood of breaches from occurring on mobile devices.  Encryption is available and enabled by default on iPhones, iPads and Windows Phone 8 and RT devices. It’s also built into BlackBerry and Android devices. BitLocker Drive Encryption became available in 2009 as part of the Windows 7 operating system. 

Yet healthcare organizations still seem to struggle with implementing encryption on mobile devices. Why? 

The HIPAA breach notification rule isn’t new. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted breach laws that require notification if non-encrypted data is exposed on a lost or stolen device. And reported breaches continually demonstrate the importance of encryption. So lack of awareness isn’t the issue.

In my experience, the primary drivers preventing the widespread implementation of mobile device encryption are a combination of competing priorities and a lack of leadership and staffing resources to make it happen. 

Not all data needs to be encrypted, which may lead some to put off the security task. But there shouldn’t be any  slack when it comes to encrypting any non-public personal information such as Social Security numbers, dates of birth, credit cards and other financial information and, of course, patient information. As a general rule, you should encrypt what you don’t believe is safe with your existing access controls and other safeguards.

Ensuring encryption is adequately implemented falls to healthcare leaders – both on the business and IT sides of the organization. Doing a management assessment of the current state of encryption on all an organizations mobile devices is a good first step. This includes organizationally provisioned as well as personally owned devices that handle confidential information. If encryption is not enabled on these devices, then determine how best to implement encryption or disallow their access to confidential information. It may simply be a matter of enabling encryption on existing technologies. Healthcare organizations still using the Windows XP operating system, which lacks encryption functionality, should minimally migrate to Windows 7.  

HIPAA and the Payment Card Industry (PCI) standard require confidential information to be protected from unauthorized use or disclosure no matter where it is. This means that if any of this data ends up on a mobile device, then it must be protected. Therefore, the goal state should be to have encryption enabled on all mobile devices.

The primary lesson to be learned is that the cost of encrypting mobile devices is far less than the cost of a data breach and mitigation as well as potentially being fined, penalized or sued.  Consider:  last week the HHS Office for Civil Rights fined Concentra Health Services $1.7 million and QCA Health Plan $250,000 for their data breaches.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access