Stopping Laptop Breaches: Key StepsIn-Depth Risk Assessments Often Are Lacking
Risk assessments must go far beyond a focus on HIPAA compliance issues, says Berger, CEO of Redspin, a data security services firm. "Mere compliance doesn't cut it. You really need to dig deeper in your HIPAA security risk analysis to look at technical issues, operational issues and organizational issues," he says. "For instance, you can't claim to have done a comprehensive HIPAA risk analysis if you've never detected that 100,000 patient records were on an unencrypted laptop."
As part of their risk assessments, organizations need to pinpoint where patient data is stored and determine whether it's essential that any sensitive information be kept on laptops, Berger notes. In those rare cases where patient information needs to be stored on a laptop, the data must always be encrypted, he stresses in an interview with Information Security Media Group.
"Unencrypted laptops pose the biggest threat, and therefore deserve highest priority attention," he says.
Redspin's recently released annual breach report analyzing health data breach trends found that about 35 percent of major breaches in 2013 involved lost or stolen unencrypted portable computing devices, especially laptops.
In the interview, Berger also discusses:
- Why many healthcare providers do a poor job encrypting devices;
- Steps healthcare organizations should take to ensure their business associates are safeguarding health information on mobile devices;
- Why healthcare organizations should consider a narrower "choose your own device" policy for employees using personally owned mobile devices for work-related purposes rather than using a less restrictive bring your own device policy.
Berger is president and CEO at Redspin Inc., an IT security assessment company based in Santa Barbara, Calif. Before joining Redspin, Berger spent 25 years in the global networking industry, holding senior sales, marketing and general management positions in companies ranging from the Fortune 500 to ground-floor start-ups.