When Security Breaches Don’t Have to Be Reported

New technologies allow healthcare organizations to manage mobile IT assets so that protected health information is never exposed

Issue

The loss or theft of computer devices accounts for four in ten healthcare data security breaches and nearly eight in 10 patient records involved in those incidents, according to a recent Forrester report. The financial and reputational consequences of these breaches for hospitals, health systems, and physician groups can be very severe. Yet 41% of healthcare organizations do not use encryption to protect the data on these devices, including laptops, tablets and smartphones. And the majority of organizations don’t take advantage of other technologies that can prevent the loss and/or theft of devices and the misappropriation of protected health information.

If healthcare providers encrypted their PHI and used other techniques to verify that the data on missing devices was encrypted or to “wipe” the data from those devices remotely, they would not have to report security breaches involving those assets to patients, the media, or the Department of Health and Human Services (HHS). Since unauthorized persons could not view the PHI, those incidents would fall into a “safe harbor” within the HIPAA privacy rule. They would also not have to be reported under most state data privacy laws.

Equally important, organizations that use these technologies are protecting themselves and their customers from the largest category of security breaches. This approach not only helps providers safeguard their reputations in the communities they serve, but also minimizes the risk that they will ever face expensive class action lawsuits or government sanctions as a result of factors outside their control.

Purpose

The shift from PCs to laptops and other mobile devices, combined with the increasing mobility of healthcare workers and the targeting of healthcare by cybercriminals, has created a new security environment. To address the risks in this new world, health IT security professionals cannot simply protect their computer networks; they must also use the latest technologies to secure the mobile devices used by healthcare professionals. This paper will show how these technologies can be deployed to protect PHI both preventively and reactively, while shielding organizations from state and federal reporting requirements.
Framework

The last several years has seen an explosion of mobile device use by healthcare professionals. Physicians, nurses and ancillary professionals use laptops, tablets and smartphones not only in hospitals, but also in a range of other healthcare settings. They do so partly for convenience and partly because they are providing more and more care in ambulatory clinics and patients’ homes.

While some healthcare organizations prohibit the storage of PHI on end-user computers, many do not. As a result, a great deal of PHI is being transported every day on devices that travel with their users outside of healthcare facilities. And, whether those devices remain inside the facilities or not, a certain percentage of them go missing.

Meanwhile, criminals find it more attractive to steal healthcare information than to take most other kinds of records. Theft accounted for 83% of compromised records in 2013, and 43% of all reported identity thefts in the U.S. that year were medical identity thefts. Because health records can be used to commit lucrative kinds of fraud, patient records can command $20-$500 each on the black market, compared to $10-$12 for personal identity records and $1 for credit cards.

Large-scale data security breaches can result in huge fines for healthcare organizations, which must also report these incidents to the government and the affected patients. Class-action lawsuits can result in millions of dollars in damages.

HHS’ Office of Civil Rights expects healthcare providers to encrypt their PHI, wherever it is stored, but the majority of organizations do not. Even if they were to encrypt the data and install anti-virus applications, it would be impossible to know whether a missing device had been infiltrated and PHI stolen from it without having a remote connection with that device.

Unique persistence technology for endpoint security provides that connection so that administrators can always know where a device is, what’s on it, and whether it’s been tampered with. Moreover, the software agent that’s used to make the connection can be factory-installed in the device’s firmware so that it will automatically reinstall itself even if it’s removed.

This type of technology allows healthcare organizations to protect their hardware and software in two ways. First, it gives them the ability to reduce the number of stolen devices by alerting them immediately to the possibility that the devices have been lost or are not under the control of authorized users. Second, when it is determined that a device is missing, providers can use the technology to freeze the device or delete all or part of the data on it. And third, the application can show an organization what happened on the device before and after the theft and can also help law enforcement recover the device.

Healthcare organizations that take this kind of approach can be confident that their PHI on laptops and other mobile devices is protected and that they know where those devices are at all times. Moreover, because they can show that PHI on stolen devices has not been tampered with, they may not have to report security breaches.