Here’s what it should have done to avert disaster.
Let’s start with a quick quiz. What are the three types of data breaches?
Be prepared for physical theft—not just hacker attacks.
With all the emphasis on hacking, ransomware, phishing attacks, and other types of electronic thievery, let’s not forget that one of the most egregious data breaches is the simplest: plain ole absconding with a piece of hardware. Today, we’ll focus on the first topic: physical theft.
In November of last year, a health-care provider was the victim of a burglary where thieves walked out of one of the practice locations with a backup imaging server in their arms. A review of the server confirmed it contained protected health information of 21,601 individuals, including names, social security numbers, health insurance information, radiology imaging, and/or other related medical information. In response to the break-in, the hospital has implemented additional security measures to prevent further exposures of patient data.
Don’t store unsecured PHI.
While dealing with the theft of a memory device such as a backup server is a real hassle, one tiny procedure can keep that theft from turning into a real disaster. Encryption is a get-out-of-jail-free card.
In the case mentioned above, the backup server was not encrypted. How do we know this? Simple. The health care provider reported the theft as a data breach. Had the server been encrypted, it wouldn’t have constituted a breach, and would not have been a reportable event. Let’s repeat that one line for effect: Had the server simply been encrypted, it wouldn’t have constituted a breach and would not have been a reportable event. Too good to be true? According to 78 FR 5639 and 5644; 74 FR 42741-42, 42765,1 “Encryption which satisfies HIPAA standards is not “unsecured”; accordingly, its loss does not require a breach report.” With that thought in hand, how do you keep your patients’ PHI safe from physical theft?
Do these action items.
- Your server should be physically secured, ideally to the building structure, behind a second locked door in your office location. Any portable memory devices, such as portable hard drives, laptops, and memory stick devices should be secured just as you would a bank deposit bag. If you’re taking them somewhere, keep them in the trunk of your car, out of sight, or, if possible, on your person.
- Encrypt your data. Encrypt your data. Encrypt your data. There—the third time’s the charm. Can it be a hassle to encrypt your memory devices? Sure. But paying a knowledgeable IT person to set it up on your devices is a drop in the bucket compared to the time, anguish, and hundreds of thousands of dollars you’re going to spend dealing with a data breach.
If you don’t retain anything else, remember this: If you’re a dental practice owner, regarding assets, you can be compared to a bank officer. A bank keeps its assets in a vault. One of your largest assets (and liabilities) is located on your memory devices. If they’re encrypted, you also have your “assets in a vault.” If they’re not encrypted, it’s like you’re leaving your bank’s front door and vault door wide open 24/7. Not a good idea. Let’s be careful out there!
1Sec 164-402 (2)(iii)