Recent Enforcement Shows the Importance of Encrypting Mobile Devices Containing Protected Health Information
With headlines every day announcing another release of Protected Health Information (PHI), providers are asking themselves – is there a way to protect against these breaches?
Beyond improving the security of large systems, attention is needed to protect PHI contained in laptops and other mobile devices, which account for a large percentage of PHI breaches.
In order to safeguard the confidentiality, integrity and availability of all electronic protected health information created, received, maintained, or transmitted, all covered entities and business associates must (1) protect against any reasonably anticipated threats or hazards to the security or integrity of such information; and (2) protect against any reasonably anticipated unauthorized uses or disclosures of such information. 45 C.F.R. § 164.306(a).
One way to comply with this rule is to encrypt electronic PHI to allow access only to individuals who are authorized to view the PHI. 45 C.F.R. § 164.312(a)(2)(iv). Encryption is a standard solution and is an effective tool to prevent against unauthorized access to data.
Encryption under the HIPAA Regulations means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. 45 C.F.R. § 164.304.
The safeguard arising from encryption is particularly relevant now because of the widespread use of mobile devices, such as laptops, iPads, and portable disk drives by health care providers. Press reports indicate that several recent unauthorized releases of unencrypted PHI resulted from the loss or theft of these mobile devices.
The 2014 Bitglass Healthcare Breach Report analyzed data from the Department of Health and Human Services breach records and found the following:
68% of healthcare data breaches since 2010 occurred when devices or files were lost or stolen, with only 23% due to hacking; and
48% of breaches involved a laptop, desktop, or mobile device.
As these numbers show, health care providers need to focus on securing and protecting PHI on mobile devices. If possible, physicians and others who have access to PHI on mobile devices should avoid storing PHI on laptops, USB memory sticks, and other mobile devices. If storage of PHI on a mobile device is necessary, health care providers should require that these devices be encrypted, both in transit and in storage, and that they are able to remotely wipe data on lost or stolen devices.