Guest Column | September 21, 2016

What's Your Strategy When HIPAA-Protected Data Literally Flies Out the Window?


By Cam Roberson, Director of the Reseller Channel, Beachhead Solutions

User frustration with technology is one thing. But aggravations that turn into veritable threats to data security? Those tend to be a touch more serious. And safeguarding all the places sensitive data ends up gets seemingly more complex by the year, thanks to the bevy of laptops, phones, and tablets we employees need to get our work done (whether those are company-issued devices or not). Too often, though, these devices are lost, stolen, or mishandled; too often organizations are left playing Monday morning quarterback when that happens. If you want to be convinced of keeping otherwise-exposed data encrypted and secure, I have a story for you.

At a particular group home in the Midwest — where a managed service provider (MSP) we work with delivers technology and security services — there are always devices on site that contain electronic Personal Health Information (ePHI). Sometimes, the desire to use these devices expands beyond just the staff.

But first, some background. At healthcare facilities such as these — just as at any organization handling this type of sensitive information — HIPAA privacy protections legally require ePHI be protected in accordance with certain standards, including data encryption. Any data breach where unencrypted ePHI is exposed must be reported to government authorities. Fail to implement satisfactory security measures, and you’re likely looking at a hefty fine.

The news on recent data breaches provides no shortage of cautionary tales where poor data security practices have led to small and medium-sized healthcare organizations facing fines sizable enough to put them at risk of going out of business. And, often more harmful than the fines, the public reporting of data breaches means an organization that isn’t careful with private data will suffer a damaging blow to its reputation (certainly not the way to attract and retain business).

At medical facilities like the aforementioned group home, the business owners and managers may understand the requirements of HIPAA with considerably more clarity than the employees that commonly use the devices and systems accessing ePHI. Clear communication and employee training is perhaps step one for maintaining data security, as encryption is only effective if users are careful with their credentials (and don’t leave logged in sessions unattended). In the story I’m about to relate, I’m glad to report the data security measures held steadfast — even though they seem to have made one attempted user a tad irate.

Occasionally, a resident at one of the group homes in question will become frustrated because the devices there are only available to the staff. In one such incident, our Managed Service Provider (MSP) colleague was called in because a laptop wasn’t functioning and seemed to be in need of repair. The MSP attempted to check the status of the computer remotely, but it wasn’t showing up as being online, so the company dispatched a technician to the site to investigate.

When he pulled up to the building, he saw the laptop lying on the lawn, right by the sidewalk, with signs of extensive physical damage. It had been there all day, easily visible to vehicles and pedestrians passing by on a busy street. How it wasn’t stolen was beyond me — perhaps chalk it up to Midwest morals. The laptop got there, as we later found out, when a resident of the home had gotten upset at not being able to access the system and flung it right out the window. For hours it sat on the lawn, unbeknownst to staff.

While it was fortunate no one swiped the computer, the MSP did in fact know the ePHI involved was safe because of the encryption in place on the machine. So, even if some opportunistic person snatched the laptop off the lawn and tried to access the data inside, the encryption protection meant they would be no closer to causing a data breach than if they’d left it lying there. In short, having a strategy in place to remotely manage and monitor the sensitive data on the group home’s devices saved everyone’s butts. MSPs work with clients that often enough have laptops, tablets or phones containing ePHI stolen — it happens. But making sure these incidents do not rise to the level of a reportable breach is key.

Healthcare organizations subject to HIPAA would be wise to equip employees with the knowledge to understand the severity of the law, and the vulnerabilities they can guard against while they access sensitive data. It’s also essential to support them with data security technology that provides encryption and other safeguards. With the right tools and the right training, an organization can all but ensure they are protected, even when someone manages to heave their devices into the front yard.

About The Author
Cam Roberson is the Director of the Reseller Channel for Beachhead Solutions, a company that designs cloud-managed mobile device security tools.