I was recently asked a question by national HIPAA expert Jon Tomes concerning whether or not medical professionals should encrypt hard drives on their laptops in order to secure protected health information (“PHI”). The scenario that Jon presented to me was as follows:
A doctor has a laptop. On that laptop, he has a small amount of data, and because our hypothetical doctor is an ear, nose, and throat specialist (“ENT”), the data consist of patient record numbers and associated wav files containing audiology tests. Jon further said that this laptop contained no other patient data, demographic or otherwise—that is, no electronic medical record (“EMR”) containing PHI. He also said that this laptop had a strong alphanumerical password of no less than 64 characters for both the basic input/output system (“BIOS”) and operating system (“OS”) access but no hard drive or file level encryption. Our hypothetical doctor then proceeds to leave this laptop on a subway train never to be seen again.
The question:
Given that the only patient identifying information on the laptop was the patient record number and given that all the associated data was a series of beeps and bloops from an audiology test, should the hard drive have been encrypted, or was the strong password protection enough?
Before I answer this question, let me just remind my readers that this scenario is an incident that must be documented and trigger a breach investigation. Whether or not this particular scenario rises to the level of a breach is a question that I will leave for another article.
Now, as to the question at hand about encryption, in the year 2000, the number one reason for laptop theft in the United States was for resale. The thief or opportunist who found the laptop on the subway would generally reformat the hard drive, reload an operating system, and toss it up on eBay (or as I like to call it, America’s fence). As laptops became ubiquitous, and everyone and their brother had them, the resale market for these stolen laptops plummeted. Some of the best business people in the world are thieves and opportunists. They are excellent at adapting their business models to account for changing markets. When these same entrepreneurs saw that their resale business wasn’t working anymore, they turned their nefarious attentions to the data on the laptops. They quickly realized that people kept their lives on these things and were really lax about security.
Our hypothetical doctor was subject to the same frailties and lack of security (and common sense) as most of the rest of us. Not only did he have the aforementioned PHI on the laptop, but he also had a spreadsheet titled “my passwords.xls” containing the password to every EMR system and website that he had ever had access to, a document called “my patients Holiday Card list.doc” containing a list of patients and their addresses that he uses to send cards every year, another spreadsheet called “my pins and credit cards.xls” containing, well, frankly, a data thieves’ dream, giving them access to his financial life. Even with all this data, who cares that the doctor has a strong alphanumerical password 64 characters long? Impenetrable, right? Wrong! Data thieves could care less about this password because, as long as that hard drive is not encrypted, all they have to do is open up that laptop, extract the hard drive, and plug it into a $20 USB reader available at any Staples. Because of no encryption, all the data is accessible. Because the hard drive is detached from the original laptop, there is no BIOS password. And last, because this hard drive is being read from another computer with its own operating system, there is no OS password. In essence, the data is wide open and ripe for harvest.
Had our hypothetical doctor spent about $120, he could have done a whole disk AES 256 bit encryption of his hard drive. Had the good doctor taken this step, our data thief would have connected the drive to the USB reader and been completely frustrated because, without the decryption key, the data on the drive would be inaccessible.
In today’s data driven world, not only do I think that all laptops in support of health care should be encrypted with whole disk encryption, but also I firmly believe that all computers, including desktops, should be encrypted. Further, I believe that it is irresponsible and, in my opinion, negligent not to encrypt.
By implementing this cost effective safeguard in today’s data age, medical professionals will meet both HIPAA compliance standards and protect their patients, their practices, and their reputations.
Michael O’Hara is a HIPAA and technology expert. Michael is the owner and CTO of KB Computing, LLC, and is dedicated to assisting the medical vertical with being compliant and guiding his customers on policy, practice, and procedures.