In 2012-2013, the University of Texas MD Anderson Cancer Center had three data breaches involving unencrypted devices. An unencrypted laptop had been stolen from an employee’s home, and they had lost two unencrypted USB thumb drives. These incidents compromised the electronic protected health information (ePHI) of 33,500 individuals. Upon investigation, the Office for Civil Rights (OCR) found that MD Anderson had had encryption policies and had found in their risk analysis that their unencrypted devices created a high level of risk. Yet, MD Anderson was slow to implement a solution and failed to encrypt their devices between 2011 and 2013. Taken together, their negligent lack of action led to three data breaches and a $4.3 million fine from the OCR. Nevertheless, MD Anderson contended that HIPAA did not require them to encrypt their devices.
Why Do I Need Data Encryption?
Unencrypted portable devices are a major security risk. If they fall into the wrong hands, your data will be defenseless. That’s why the HIPAA Security Rule requires you to encrypt your ePHI. MD Anderson and many other organizations fail to see the difference between required and addressable rules. Encryption is addressable. However, addressable doesn’t mean optional. It means you must implement the rule or adopt a similar solution. If your organization has a justifiable reason for why you can’t use encryption, you must find a similar method of securing your ePHI.
3 Steps to Implementing Encryption
Start implementing encryption in your organization by taking these three steps:
- Conduct a risk analysis. You can’t protect what you don’t know is at risk. Risk analysis helps you discover any threats and vulnerabilities that may compromise the security of your ePHI. In their risk analysis, MD Anderson found its areas of high risk; the problem was that they failed to act upon their findings.
- Take inventory of your assets that store or transmit ePHI. MD Anderson failed to encrypt their devices over a three-year period. It’s vital that you don’t overlook any devices, including employees’ personal devices that they use to access ePHI. You may need to encrypt these devices as well.
- Create encryption policies and procedures. Put the encryption process on paper and then implement it. MD Anderson took a lax approach to following their own policies, a dangerous practice when it comes time for an OCR audit. Additionally, you should train your staff on how to securely use devices and systems containing ePHI.
Encryption can sound like a daunting and time-consuming task. However, you can often encrypt devices using tools already built into them. Touch base with your IT team about the current state of data encryption and take steps to improve device security. To help you create a culture of security compliance, HIPAAtrek helps you keep track of policies and procedures, as well as staff training and security reminders. Request a demo or contact us to learn more.