According to HIPAA rules, it is not enough for medical facility devices to have passwords - they must be encrypted to keep patient data safe.

Hospital’s laptops lacked proper encryption software to keep data safe

This blog has previously discussed the importance of medical facilities keeping patient information secure. While the industry has been under high scrutiny lately for data breaches, it’s crucial for these organizations to conduct thorough risk analyses to see where their weaknesses may lie.

The Press-Citizen, an Iowa City newspaper, reported that a deputy state auditor found that about half of more than 500 laptops issued to University of Iowa Hospitals and Clinics (UIHC) employees last summer did not have the encryption software necessary to protect sensitive information. The report was released on Monday, and showed the lack of security could seriously compromise data like patient registrations, scheduling and billing information if any staff members’ devices are stolen.

Deputy State Auditor Andy Nielsen told the news source that while the devices were password-protected, it would not be difficult for tech-savvy hackers to break through. According to The Health Insurance Portability and Accountability Act of 1996 (HIPAA), all portable electronic devices containing sensitive patient information must be encrypted.

“Encryption and destruction – like shredding papers – are the only methodology for rendering what we call … protected health information … unusable, unreadable and indecipherable to anyone who’s not supposed to be looking at it,” Rachel Seeger, spokeswoman for the U.S. Department of Health & Human Services Office for Civil Rights, told the Press-Citizen. She would not comment on whether UIHC’s case was a HIPAA violation.

When companies conduct thorough risk assessments, it’s important that they account for security measures, especially when sensitive data is at stake. Along with proper encryption methods, disaster recovery planning will ensure that all employees are educated on the best ways to keep information safe.

Unless companies fully plan for data breach situations, business resumption can be difficult. Not only does it take time to retrieve missing information, but reassuring customers that the situation will not happen again could be tricky. However, with comprehensive risk analyses, creating a comprehensive recovery plan will be easier.