TIP #1 – ENCRYPT ALL LAPTOPS
We are not going to get into the details of data encryption and you don’t need to fully understand what data encryption is to understand the benefits. The HIPAA Security Rule states that if patient data is encrypted and the data is lost or stolen there is no need to notify patients or report the breach.
The official description of encryption is that it is a Safe Harbor under the HIPAA Security Rule but we like to call it the “get out of jail free card”. If you lose a laptop with patient information and it is encrypted you can act, for HIPAA compliance purposes as though it was never lost. If you fail to encrypt mobile devices and get breached, the cost can devastate your practice.
It costs less than $100@year to encrypt a laptop. Encryption usually has no noticeable effect on using the laptop and only requires a password to be entered when you first start up the laptop.
We have heard arguments from clients that “our laptops don’t have any patient data on them so why should we encrypt them?” While it may be true that you did not intend the laptop to contain patient information, the fact is it COULD contain patient information.
There could be emails with patient information; spreadsheets, documents, or PDFs with patient information could be stored on the laptop; reports downloaded from an EMR could be on the laptop.
If a laptop is lost or stolen the process of trying to figure out what data was stored on the laptop would likely cost you much more than the cost to encrypt the laptop in the first place. The bottom line, if your laptops are encrypted you no longer have to worry about a HIPAA breach if they are lost or stolen.
TIP # 2 – MINIMIZE THE USE OF PORTABLE DEVICES
…AND THE AMOUNT OF DATA ON PORTABLE DEVICES
In order to reduce the risk of losing patient information stored on a portable device, make it a practice to not use portable devices. Raise your employee awareness of the risks of portable devices. Write a memo or send an email to all employees stating that the use of portable devices to store patient information is frowned upon. If employees must use portable devices then the amount of patient information stored on the devices should be only the minimum needed.
If USB drives must be used then only use encrypted USB drives. While it is true that encrypted USB drives are more expensive than non-encrypted USB drives, the cost is not prohibitive. Just search for “encrypted USB” drives – there are plenty.
TIP #3 – ENCRYPT ALL BACKUP
If you are still using tapes to backup your data then ensure that they are encrypted. Backup tapes hold all your data. If a backup tape is lost or stolen you could have a very large data breach. Don’t assume your IT people are using encryption on your backup tapes. Have a conversation with your IT people and confirm that they are encrypting your tapes. Most backup software supports data encryption but it must be enabled first.
TIP #4 – ENSURE YOU HAVE A STARTUP PASSWORD AND INACTIVITY TIMEOUT ON YOUR SMARTPHONE
Smartphones such as iPhone, Android, Windows Phone and BlackBerry may contain patient information. More and more smartphones are used to access EMRs, imaging systems, etc. In addition, more and more patient information is contained in emails between physicians, physician assistants, billing departments, etc. Smartphones are easily lost or stolen and represent a risk to the patient information that they may contain. So what can be done to protect the information in the event that a smartphone is lost or stolen?
Smartphone Safeguards
There are many safeguards you can put in place to reduce the risk of data breaches caused by smartphones. Here are 3 safeguards that will go a long way to minimize the impact if your phone is lost or stolen.
1. Minimize the amount of patient data that is sent via email
2. Protect your smartphone by ensuring that a start-up password and inactivity timeout has been implemented
3. Implement data encryption on your smartphone
You can reduce the impact of a lost smartphone by minimizing the amount of patient data that is on the phone. By implementing a start-up password, inactivity timeout and utilizing data encryption, you can reduce the likelihood that patient information is compromised if the phone is lost or stolen.
TIP #5 – IMPLEMENT GOOD PASSWORD CONTROLS
Passwords are the key to protecting systems that contain patient information. The stronger the passwords that your employees use the more secure your systems are. Here are a few inexpensive ways to ensure you implement good password controls.
COMPLEX PASSWORDS
Encourage employees to use complex passwords that have upper and lower case letters, special symbols such as “@ ! $ % &” and numbers. The more complex the password the harder it is to guess or crack. Keep in mind that your employees probably have so many different passwords that they will not be too happy to have another password especially if it is hard to remember. You will have to ensure they understand the importance of protecting patient information and the importance of using complex passwords in order to respond to any employees’ resistance.
DON’T WRITE PASSWORDS DOWN
Passwords should not be written down. They should not be stuck to monitors on yellow sticky notes. They should not be on a piece of paper under the keyboard. Passwords, like credit card and social security numbers should be protected and not shared.
LOCK ACCOUNTS AFTER FAILED PASSWORD ATTEMPTS
Accounts should be locked after a number of failed passwords attempts. For example, if an employee enters their passwords incorrectly 5 times the account should be locked and require the network administrator to unlock the account. Account lockouts prevent passwords from being guessed or hackers from using special tools to break into accounts. Needing to reset passwords may be a little inconvenient, but account lockouts are a very effective way to protect patient information from unauthorized access.