One-fourth of reported HIPAA breaches involve laptops

Last year, the HHS Office for Civil Rights started posting online a list of reported breaches of unsecured health data affecting at least 500 people. About one-quarter of all listed incidents involved laptops, and close to one-eighth were the result of a lost or stolen portable device or USB drive.

Keep in mind that these are all breaches of unsecured protected health information. And how can you secure data to guard against HIPAA lapses? "As organizations continue to see that laptops are going to be lost or stolen, organizations need to know the three rules of laptops: encrypt, encrypt, and encrypt," William M. Miaoulis, manager of healthcare security services for Phoenix Health Systems in Dallas, tells HealthLeaders Media. "When data is encrypted organizations can avoid the high cost of the HITECH breach notifications requirements."

Nancy Davis, the privacy and security officer at Ministry Health Care in Sturgeon Bay, Wis., recommends that healthcare organizations stop storing PHI on hard drives and removable media, encrypt their laptops, offer remote access only through secure channels and strictly enforce privacy and security policies.

One security consultant estimates that it costs about $150 to encrypt the hard drive of a laptop--far less than the cost of responding to a breach and paying for credit monitoring for hundreds or thousands of patients.

To learn more:
- take a look at this HealthLeaders story
- see the web page listing breaches reported to OCR

Related Articles:
Laptops stolen from Veterans Affairs, N.M., Medicaid contractors were not encrypted
Report: Healthcare organizations may have a false sense of data security