But the features of laptops — primarily portability and ever-larger hard drives — have made laptops a key vulnerability to data breaches due to loss or theft. According to insurers and the FBI, a laptop theft occurs in the United States approximately once every 12 seconds. In healthcare, there have been numerous — and alarming — data breaches involving laptops. Here are just a few recent reported data breaches that involved patient and/or physician data:
- 1/25/2006, Providence Home Services, Portland, Ore. 365,000 patient records
- 10/23/2006, Sisters of St Francis Health Services, Indianapolis. 260,000 patient records
- 12/14/2006, Emory University et a., in Pennsylvania and Tennessee. More than 63,000 patient records
- 2/14/2007, Kaiser Medical Center, Oakland, Calif. 22,000 patient records
- 3/23/2007, Group Health Coop, Seattle, Wash. 31,000 patient records
- 12/17/2007, West Penn Allegheny Health System, Pittsburgh. 42,000 patient records
- 1/29/2008, Horizon Blue Cross Blue Shield, Newark, N.J. 300,000 patient records
- 3/24/2008, National Institutes of Health, Bethesda, Md. 4,359 patient records
- 11/1/2008, Baylor Health Care System, Dallas, Texas. 100,000 patient records
- 12/2/2008, U.S. Army. 6,000 patient records
- 9/2/2009, Naval Hospital, Pensacola, Fla. 38,000 patient records
- 10/6/2009, BlueCross BlueShield Association, Chicago. 850,000 physician records
- 11/25/2009, Aurora St. Luke's Medical Center, Milwaukee, Wis. 6,400 patient records
If you analyze the list above, there are several immediately startling things. First, the sheer number of breaches, and the number of patient records involved, is staggering. Second, the list contains some large and well-known healthcare providers, where one would think they take seriously the issues of HIPAA Security Rule compliance and industry best practices, and one would expect they have the resources and skills necessary to prevent such serious breaches.
The Oct. 2009 breach involving BlueCross BlueShield is especially troubling, because the laptop stolen from the parked car in Chicago contained both social security numbers and provider numbers (NPIs) of many of the physicians. For those physicians who use their SSN as their federal tax ID, this is even more ominous and potentially damaging.
Our experience in healthcare shows that laptops are typically not treated with the care and attention they require. Frequently, physicians and others in an ASC or a medical practice may purchase a laptop with "their own money" and therefore consider them as personal property, not subject to HIPAA Security Rule compliance. That is completely incorrect. Any electronic device or storage media that connects in any way to an ASC's network, even if only occasionally, is subject to compliance and needs to be protected.
For laptops and all other portable electronic devices, you should take extra care to ensure that all EPHI is protected, including the use of encryption, embedded GPS-tracking capabilities and remote data delete/system disablement tools. And the most critical thing is to never store any important business or clinical information on a laptop in the first place. It should be stored instead on centralized server architecture protected by such security features as mirrored hard drives, anti-malware software and a hardware firewall, and utilize an extensive and robust user security scheme. Portable and remote devices should only be used to access those files over a secure connection, and should not be used to store any data locally. This is required by the HIPAA Security Rule.
Marion Jenkins, PhD, is founder and CEO of QSE Technologies, which provides IT consulting services for ASCs and other medical facilities nationwide. Learn more about QSE Technologies at www.qsetech.com.