Lifespan Health System Hit With $1 Million HIPAA Fine
Hefty Penalty After Theft of Unencrypted Laptop
… “Additionally, sometimes the problem is that if the administrative console for managing device encryption cannot definitively prove that a lost or stolen device was encrypted, an organization in that situation has to assume the worst and declare a breach,” notes Keith Fricke, principal consultant at tw-Security.
… Healthcare organizations should conduct routine audits of encrypted devices, Fricke stresses. “This can be achieved through periodic review of the management console used to administer encrypted endpoints. Specifically, IT staff should look for devices that have not reported into the encryption console in a while.”
The IT department also should work closely with those ordering supplies to make sure that endpoint devices being ordered “are coming through IT upon receipt, so that encryption can be enabled and managed on company-owned devices,” he adds.
Finally, both covered entities and business associates need to remind the workforce that ePHI should not ever be saved to the hard drive of their laptop or portable device – and they must not copy confidential information to a personally owned device, he notes.