HIPAA, which has traditionally focused its attention on larger entities, is now closing in on smaller organizations and smaller violations.
A hospice in Idaho has been fined $50,000 for a security breach of its electronic health information. This is the first time HIPAA has gone after a breach affecting fewer than 500 patients, and the government says the fine is “a strong message” that HIPAA-covered entities, no matter how small, “will be held accountable for safeguarding their patients’ health information.”
The action was taken against Hospice of North Idaho in Hayden, ID, which had reported the theft of a laptop that contained information for 441 patients. The hospice regularly uses laptops in its field work, and the one that was lost was unencrypted.
The penalty came because the hospice had not conducted a risk analysis to safeguard the information and also because it did not have policies and procedures for maintaining security with the mobile devices.
Security breaches come under the Health Information Technology for Economic Clinical Health Act, or HITECH, which requires HIPAA-covered entities to notify patients as well as the government and in severe cases the media of breaches in unsecured patient data, which generally means data that is not encrypted and can therefore be used.
Breaches involving 500 or more patients have to be reported to the government within 60 days. For fewer than 500 patients, the office is required to file an end-of-the-year report.
It’s the reports that most often trigger the government’s investigating, and that apparently was the case with the hospice.
Four good pieces of advice
The government offers some useful information on HIPAA safety for mobile devices. Here are four points:
• What are the greatest security threats to mobile devices?
The government lists these.
Cybercriminals. These people attack mobile devices for money. They use the data for identity theft, online fraud, and computer extortion. International cyber-criminal organizations expand that to industrial espionage and large-scale money and intellectual property theft.
Botnet operators. A botnet operator distributes malware to a large number of mobile devices and then controls their activities. Operators also attack individual mobile devices.
Hackers. Hackers sometimes attack mobile devices to gain prestige in the hacker community. Hacking today is somewhat easy. It can be done by downloading attack scripts and protocols from the internet and launching them against mobile devices.
• What’s the best way the create a strong password?
Combine three words. Then swap uppercases with lowercases and letters with numbers and symbols.
Example: privacy and security.
The weakest password:
privacyandsecurity
To strengthen it, start some words with uppercase:
PrivacyandSecurity
Add some internal uppercases:
PriVacyandSecuRity
Replace a word with a symbol:
PriVacy&SecuRity
Replace a few letters with similar-looking numbers or symbols, for example
I = 1
A = @
S = $
E = 3
C = (
I = !
T = +
The outcome is a very strong
Pr1V@cy&$3(uR!+y
• What does meaningful use for electronic health records require for mobile devices?
EHR’s Stage 2 requires a security risk analysis, and the analysis has to include encryption of the data. If patient information is stored on a mobile device, the device must be programmed to encrypt it by default.
• How should mobile devices be protected?
Any mobile device used for work needs to be kept under central security management. That means the office needs to keep track of all those devices and also take safety measures such as installing remote disabling on them. In addition, there needs to be a policy and procedure for using the devices.
Click here for guidelines on developing a mobile device policy.
And for complete information on mobile device safety, go to www.HealthIT.gov/mobiledevices.
