Never doubt the importance of securing devices both physically and with encryption. Failing to do so could end up costing a bundle.
That lesson was learned the hard way by Lahey Hospital and Medical Center in Burlington, MA. The story dates back more than four years to when a seemingly minor theft led to a huge fine.
Unprotected storage area
Lahey first reported that a laptop was stolen from an unlocked treatment room in the hospital on Oct. 11, 2011. The unencrypted laptop contained electronic protected health information (ePHI) for 599 individuals, so the theft was reported to the U.S. Dept. of Health and Human Services (HHS).
HHS found that Lahey failed to conduct an accurate analysis of risks to ePHI, didn’t have procedures for moving equipment with ePHI around or out of the facility, failed to have unique usernames and tracking information for those who used the workstation and more.
Just last month, the terms of a settlement with HHS was announced. And it was a doozy.
As a result of the agreement, Lahey is required to:
- pay a fine of $850,000
- conduct an organization-wide risk analysis of all the equipment and services that it owns, leases or controls
- develop or revise written policies and procedures on transporting or removing hardware and electronic media that maintain ePHI
- install programs that “record and examine activity in information systems that contain or use workstations that maintain ePHI utilized in connection with diagnostic/laboratory equipment”
- train users who deal with ePHI on its policies and procedures, and more.
While encryption alone may not have been enough in this case, it’s important to remember: Encrypting devices with access to this sensitive information could go a long way to preventing a nightmare situation like this.
Plenty of offenders
This hospital is by no means the first one to run afoul of the Health Insurance Portability and Accountability Act of 1996 (HIPPA).
According to the Verizon 2015 Protected Health Information Data Breach Report, physical breaches of PHI were the most common in the past year with 677 total incidents. That was followed by errors (524 incidents), misuse (362), hacking (215), malware (110), and social (50).
The top three incident patterns for this compromised information was lost and stolen assets, privilege misuse and miscellaneous errors.
What it means for everyone
But having policies isn’t enough. You need to make sure users follow them every time as well. Some keys for doing so:
- Discipline violations. Companies need to be sure users are complying with their policies. And disciplining and documenting any violations of these policies is essential to being sure they’re actually being followed rather than being paid lip service.
- Make it personal. Tie your policies into how your workers would like to be treated. Ask them to think about how furious they would be with a company that revealed their personal information online. Then remind your users it’s not a faceless corporation that loses data, it’s individuals like themselves.
- Train every level. Security training is an absolute must, not just for newly hired employees. In fact, the more tenure an employee has, the more information they’re generally privileged to access. That makes retraining and regular security reminders a must.