Misplaced Mobile Devices Lead to HHS Investigations, Millions in Fines
Encryption and keeping confidential information off laptops and cellphones are among the ways to prevent breaches.
The Office of Health and Human Services (HHS) has levied millions in fines against health care providers whose protected health information (PHI) was compromised when laptops were stolen.
In 2012, Concentra Health Services in Springfield, Missouri, was investigated after a laptop was stolen and paid more than $1.7 million to HHS. That same year, Arkansas' QCA Health Plan, Inc., reported a laptop stolen from an employee's car, compromising the data of 148 patients. QCA paid a $250,000 fine and were required to update their risk analysis and risk management plan, retrain their workforce, and keep documentation of ongoing compliance.
But in 2016 the breaches – and fines – only grew. The University of Mississippi Medical Center (UMMC) settled multiple violations that were found after a laptop went missing from its intensive care unit. They were required to adopt a corrective action plan and pay HHS $2.75 million. Oregon Health & Science University was fined $2.7 million after numerous violations were found, triggered by reports that 2 unencrypted laptops were compromised.
The only way to avoid this issue is not to use laptops. Since this is not an option, read on for on how to prevent misplacement of mobile devices and protect them if they are stolen.
There are 2 reliable ways to avoid breaches from mobile devices. First is to prohibit employees from using their own mobile devices for work. Employers' laptops and phones are to be used and left on site. Second is not to store confidential information on mobile devices. If there is no PHI on them, it cannot be stolen.
If you need to have PHI on devices that are leaving an office, there are some relatively simple measures to take to help secure them. The first is encryption. Though not expressly required by HIPAA, most consultants recommend encrypting all mobile devices.
Two more safeguards are malware protection and computer updates. Protection programs should be installed on mobile devices to avoid the download of malware or other unwanted programs. Updates should be run on programs as soon as they are available to patch vulnerabilities in hardware and software that can compromise the device.
Another layer of protection is strong passwords. In the UMMC investigation, 67,000 files were accessible by the use of a generic username and password. Experts recommend creating passwords that are at least 8 characters long and should contain letters, numbers and specials characters. It is best to avoid actual words like “Doctor123.”
Jen Stone, a security analyst with SecurityMetrics based in Orem, Utah, said another good option is to use biometrics, like thumbprint access, on devices if possible.
Having a laptop stolen not only compromises information on the device, but it allows the perpetrators a venue to potentially hack into your system. One to way to determine how this can be avoided is to perform a thorough risk assessment.
“If you perform that, then you are going to know what the organization's threats and vulnerabilities are,” Stone said. “That exercise can help organizations decide what their risk profile and appetite [for mitigating those risks] is.”
A risk assessment will show you the trail that leads from the device to the information at your business. It will also help you understand where the “bad guys” can be slowed down and detected, Stone said.
One of the layers to protect is your connection. You can use an encrypted or private connection that makes it harder for someone to get into your system. Other options, according to Stone, are firewalls to restrict access or intrusion protection programs that identify and block unrecognized devices from entering the system.
Stone also recommends a tool that logs what is happening in the system. It will create audit trails and signal if a device is being used abnormally. For instance, if a physician is only supposed to be working during the day and information is accessed late at night, it will send an alert so connectivity can be cut. Finally, there are programs that allow you to remotely wipe the information from a device if it is lost or stolen.
Once you've secured your mobile devices, you should train staff on how to use them safely. Some important points to note are: avoid suspicious emails and only plug other devices into your computer that are secure.
Most importantly, do not use wi-fi networks at Starbucks, an airport, or a hotel. Some computers even have restrictions prohibiting the use of public wireless connections.
“Using unsecured wi-fi opens a hole for people who know how to get in,” Stone said. “They can go right down that tunnel with you and get your information.
Once you have trained staff, you will need to document it along with policies and procedures the organization undertakes for mobile device protection. This may all seem daunting, but Stone said a good security specialist should be able to help you through the process. She does recommend using security people instead of IT professionals. IT knows the systems, but security people know how they are used and the paths to get to your information.