Protecting PHI on Devices: Essential StepsOCR Stresses Need to Physically Secure and Track Devices
While the federal tally of major health data breaches appears to show that healthcare entities and their vendors are improving their encryption practices for computing and storage devices, regulators are urging organizations to avoid overlooking the importance of physically securing these devices and tracking their locations to help safeguard protected health information.
"Anyone with physical access to electronic computing devices and media, including malicious actors, potentially has the ability to change configurations, install malicious programs, change information or access sensitive information," the Department of Health and Human Services notes in September edition of its monthly e-newsletter advisory.
While HIPAA requires covered entities and business associates to limit physical access to their electronic information systems and the facilities in which they are housed, organizations are also required to implement policies and procedures that govern the receipt and removal of hardware and electronic media containing electronic PHI into and out of an organization's facilities, as well as their movement within a facility, the HHS Office for Civil Rights notes.
Implementing processes to govern the movement of electronic devices and media may vary depending on the type of device and media, the agency states.
"For example, once installed, an organization may not need to move or relocate a server or desktop computer for the entirety of its lifecycle within the organization," OCR writes. "Alternatively, portable electronic devices and media, like smartphones, tablets, laptops, USB thumb drives and CDs/DVDs, are designed to be highly mobile and may move frequently into, out of, and within an organization's facilities. Portable devices and media thus present an added challenge as they are more susceptible to theft and loss."
Organizations can use various methods to govern and track the movement of electronic devices and media, the agency explains.
"For instance, small organizations with fewer assets may be able to use manual processes, whereas larger organizations may use specialized inventory management software and databases," OCR says.
Some inventory management solutions can be used in conjunction with a bar-code system or radio frequency identification tags to quickly organize and identify devices and media, the agency says. "These systems may allow for easier, quicker and more accurate tracking and verification of implemented controls."
Aside from tracking devices, healthcare entities and vendors appear to be learning the importance of encrypting computing and storage devices to prevent reportable breaches. Incidents involving the loss or theft of unencrypted computing devices and storage media appear to be declining.
The use of encryption in many cases provides a safe harbor for reporting incidents involving lost or stolen computing devices containing protected health information.
"The HIPAA Breach Rule specifies the encryption must meet FIPS 140-2. However, the risk assessment process of the HIPAA Breach Rule could also demonstrate that even if the encryption is not FIPS 140-2, it may be strong enough - based on certain factors - to also avoid a breach notification," says Tom Walsh, president of consulting firm tw-Security.
Encryption is becoming less expensive and less difficult to implement, as well, he notes. "Encryption is easy to enable for most smartphones. For iPhones, just adding a passcode or some other user authenticator will encrypt the data."
So far in 2018, 29 breaches involving the loss or theft of unencrypted computing or storage devices affecting a total of about 84,500 individuals have been reported to HHS, according to OCR's HIPAA Breach Reporting Tool website. But since 2009, 726 major health data breaches impacting 17.1 million individuals have involved the loss or stolen unencrypted computing or storage devices.
The largest of those incidents involved the theft of four unencrypted computers in 2013, impacting about 4 million individuals from a physician practice office of Advocate Health Care. The organization eventually as slapped with a $5.5 million HIPAA settlement as a result of an investigation into that computer theft, as well as two smaller breaches.
"Tracking is needed and appropriate independent of encryption."
—Kirk Nahra, Wiley Rein
"Encryption remains both a really good practice in general and a practice where its practical use is evolving in real time," says privacy attorney Kirk Nahra of the law firm Wiley Rein. But, he stresses: "Tracking is needed and appropriate independent of encryption."
The most recent OCR advisory should have highlighted the importance of encryption to safeguard data on those and other devices, rather than just mentioning encryption in passing, says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"It is a huge oversight on the part of the OCR to not emphasize the need to encrypt data not only in device storage, but also for data in transit," Herold says.
Neverthetheless, tracking tools, indeed, should be implemented, along with remote wipe tools, Herold adds.
The use of personally owned computing devices - such as smartphones - poses additional risks, she says.
"With the hyper-connected networks that most organizations now have, businesses cannot depend upon just a firewall to keep out hackers and unauthorized network interlopers," Herold says. "Our networks are now very porous, with so many of our authorized users using personally owned devices that attach to the business networks - devices that are often also attached to internet-of-things devices, cloud services and unlimited numbers of other types of devices. And, these personally owned devices also often have many apps loaded on them."
These employee-provided apps, IOT devices and cloud services all create potential pathways into the business environment, Herold says. "Because of these, personal data, and all other types of sensitive and confidential data, needs to be encrypted in all storage locations."
Plus, personally owned devices used to access patient data should be included in device inventories, she stresses.
"Employees need to be told what types of devices are acceptable; then the organizations needs to enforce these rules consistently," Herold adds. "Employees need to be held accountable for breaking the rules, and they need to have training about using their own devices on the business network. Employees should also be asked to explicitly agree to following these rules."
BYOD poses risks to organizations that are often difficult to address, Walsh says.
"The smaller size of devices and ease of access to data is making it difficult to track where PHI could be stored, especially on portable media such as a USB drive," he says. "Covered entities and business associates typically do not search employees for portable media as they leave the facility. Even if they did, how do you prove/disprove the media has PHI stored on it in a timely fashion? You cannot."