- HIPAA covered entities are under the misguided impression that desktop computers in the workplace do not require as much security as laptop computers. While desktop computers represent less data breaches due to a variety of factors – including portability and decreasing deployment in the workplace – they are PHI storage devices and thus require the same level of protection as any other device that stores sensitive medical data.
AlertBoot, a leading provider of mobile device management and full disk encryption managed services, would like to remind HIPAA covered-entities and their business associates that desktop computers are not magically immune to ePHI data breaches. Desktop computers require the same level of security that is extended to all computer devices that store electronic PHI, which includes medical data and personally identifiable information.
“In the past month, we have heard of multiple instances where covered entities have professed that desktop computers do not require security, let aloneencryption software to protect PHI, because HIPAA doesn’t list it as a requirement” said Tim Maliyil, founder and CEO of AlertBoot. “This couldn’t be further from the truth. HIPAA requirements – and enforcement actions by the Department of Health and Human Services’ Office of Civil Rights – are focused on data protection, regardless of the device ePHI is stored in. Thus, no devices are specifically listed as requiring security, including laptop computers, desktop computers, and devices like smartphones and tablets. But, no one goes around saying laptop security is unnecessary. I don’t understand why people think that desktop computers are an exception.”
Covered entities must conduct a risk analysis as part of the Security Rule and document their reasoning why a device does not require encryption. The risk analysis could show that desktop computer encryption is not necessary but, if the computer does store ePHI, chances are that some other comparable form of security will be required.
The Breach Notification Rule must also be taken into consideration. The Final Omnibus Rule discarded the “harm standard” that gave covered entities leeway when reporting a data breach. Under current rules, there is one main condition on reporting a data breach, which can be summarized as, “Can you prove that there is a low probability of the PHI being compromised in the event a device is lost or stolen?”
Encryption software that’s been vetted by the National Institute of Standards and Technology (NIST) satisfies the condition. As such, its use is heavily encouraged by the HHS and OCR when it comes to PHI security. And while they will not officially state that encryption is a requirement, data breach settlements and penalties paint the true picture: any type of device that stores patient data must be secured, preferably with cryptographic means.
Indeed, one of the biggest HIPAA fines in 2013 was to a covered entity where a hard disk drive in a photocopying machine was at the center of a data breach. The obvious observation is that, if photocopiers are not immune, OCR will not go lightly when a data breach results from a desktop computer’s lack of proper security.
AlertBoot Data Security offers a cloud-based data and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a secure web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe and lock, device auditing, USB drive and hard disk encryption managed services.
Headquartered in Las Vegas, AlertBoot is trusted by thousands of companies worldwide as part of their bring your own device (BYOD) and mobile information management (MIM) strategy.
For more information on AlertBoot Mobile Security solutions, please visit http://www.alertboot.com/.