If 2014 is any indication of things to come in the healthcare industry, then mobile security will be a high priority moving forward. The Office of Civil Rights (OCR) division of The Department of Health and Human Services has sent a clear message that companies will face stiff penalties if they experience a data breach due to lax security policies in regards to mobile devices.
The OCR made clear that HIPAA IT compliance is a top concern by issuing big fines. On April 22nd, OCR announced that it had reached settlements with Concentra Health Services, an urgent care services provider based in Louisville, Kentucky, and QualChoice Arkansas, a health insurance provider based in Little Rock, Arkansas. The two settlements amounted to $2 million and both companies ended up in the situation after it was determined that stolen laptops were found to have had insufficient protection for the companies’ data.
The Concentra Case
The Incident: In late 2011, an unencrypted laptop was stolen from The Springfield Missouri Physical Therapy Center, a facility owned by Concentra. After reporting that the stolen laptop was used to access sensitive data, OCR launched an investigation into the matter.
The Discovery: Because of multiple risk analyses performed prior to the incident, it was determined that Concentra was made fully aware of the risk inherent with the company’s lack of encryption and protection on employee devices (including tablets, laptops, and medical equipment.) Concentra had put a plan in place to begin encryption protection, but never saw the process through to completion.
The Cost: For their disregard of security and patient privacy, Concentra was forced to pay over $1.7 million in fines.
The QCA Case
The Incident: QCA made its breach report in 2012 after an employee’s laptop was stolen from a car. The laptop contained the personal health information of 148 people. This laptop was also unencrypted.
The Discovery: QCA was found to be in violation of several HIPAA requirements regarding Privacy and Security.
The Cost: $250,000 fine. QCA must also retrain all employees on cyber-security and compliance, and must submit an updated risk analysis and risk management plan.
The Implications within Healthcare
OCR wanted to send out a message with these rulings. Susan McAndrews, OCR’s Deputy Director of Health Information Privacy, said in a statement:
Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: Encryption is your best defense against these incidents.
The Concentra and QCA cases reveal a troubling trend within the world of healthcare: an astonishing lack of security on devices. Verizon recently did a study into data breaches and discovered that 46% of all breaches occurred on unencrypted devices. Of that number, companies in the healthcare industry were among the worst offenders.
For many reasons, the healthcare industry has been stuck in a rut of lax security. There are some practical reasons for this, chiefly that doctors and nurses – often operating in fast-paced, time-sensitive situations – don’t want to restrict the flow of information through extra passwords and encryptions. However, because critical information is on the line in a modern era of unceasing digital attacks, the industry needs to change its ways in order to adapt to the times.
A Secure Option
One simple option for healthcare providers is to use a secure file sharing service that streams patient information rather than storing it on individual devices. With a snap-in API integration, file security can be added into workflow currently being used by practitioners to share information.
This type of security allows for:
- Files, images and videos to be pinned to specific devices, guaranteeing that they will not fall into the wrong hands.
- Remote wipes that delete critical files on demand, which would be invaluable in situations such as a lost or stolen device.
- Restricted or disabled downloading, saving, printing and forwarding, to keep information from unauthorized sharing.
With OCR making it clear that healthcare companies need to be compliant, all companies in the industry need to make a concerted effort to protect critical information, if not for their customers’ sake, then for the sake of their own finances. It is time that the industry treats digital security as the serious issue that it is, and that all options towards solving these problems be explored.
Learn more about protecting your company’s devices with an easy API solution that adds a security layer to all digital distribution methods.