Lost Laptop Puts 1,500 Patients at Risk — Pointing to Need for HIPAA Asset Management
An employee of Philadelphia’s Department of Behavioral Health and Intellectual Disability Services (DBHIDS) lost an unencrypted laptop on public transportation. The laptop contained the PHI of 1,500 patients including information such as name, date of birth, MCI number, and information regarding Medicaid waiver services. Many of the laptops used by DBHIDS were encrypted, however, the laptop in question was not.
Spokeswoman for the organization Alicia Taylor, stated, “DBHIDS is thoroughly investigating causes of this incident and taking appropriate corrective actions, including re-training the employees involved, providing additional privacy/security training to the DBHIDS workforce, and continuing to review practices and implement additional controls to prevent this type of incident from occurring in the future. Immediately after the incident occurred, the DBHIDS IT team ensured all other laptops currently in use were encrypted.”
Although the decision to encrypt devices is at the discretion of individual organizations, laptops that are removed from an organization’s physical site should always be encrypted. Had the organization had an effective asset management program, the data breach could have been avoided.
What is Asset Management?
Asset management, in regards to HIPAA, refers to tracking and maintaining any device that stores or accesses electronic protected health information (ePHI). Although not explicitly mandated by HIPAA law, asset management addresses several aspects required under HIPAA. The HIPAA Security Rule requires organizations to maintain a record of the movements of hardware and electronic media and any person responsible therefore. Part of asset management is taking an inventory of all devices accessing ePHI and which person(s) use that device.
Additionally, the HIPAA Security Rule requires an organization to identify where ePHI is stored, maintained, received, or transmitted; asset management addresses this as well. In the event of a HIPAA audit, the Office of Civil Rights (OCR) will inquire of management as to how the location and movement of media and hardware containing ePHI is tracked, and obtain and review policies and procedures and evaluate the content relative to the specified criteria regarding tracking the location of ePHI media and hardware.
What is an Effective Asset Management Program?
Developing an effective asset management program allows an organization to track and maintain devices. An asset inventory list should be updated whenever a new device or employee is added to an organization. The inventory list should include the device name, employee(s) name(s) that use the device, and the age of the device. Including the device age will facilitate business operations as it ensures that outdated systems, that are no longer supported with updates, are replaced in a timely manner.
Using an outdated operating system, such as Windows XP, puts patient data at risk. Since Microsoft no longer supports Windows XP with updates, the risk of experiencing a data breach is highly likely when using this system.
This is Part VI of the XI-part blog series. You can also read Parts I to V below:
Behavioral health practices handle protected health information (PHI) regularly, and as such, must take precautions to safeguard the sensitive information. The Department of Health and Human Services (HHS) recommends ten practices that anyone handling PHI needs to implement, the sixth of which is access management. (Each one of these XI HIPAA outlined practices will be examined in its own article, labeled Part I-XI for your convenience).
- Phishing Emails and Why Encryption Software is Warranted
- Using Clinical Email (Part II): Secured Email Protection Systems
- Securing your Network (Part III): Endpoint Protection Systems
- Limiting PHI Exposure (Part IV): Access Management
- Data Protection (Part V): Data Loss Prevention