Jessica Sweeb
Associate Editor
Loyola University Chicago School of Law, JD 2019
Despite all preventive measures that hospitals and health care systems put in place to stop data breaches from occurring, employees at these entities still have unsecured and un-encrypted laptops, which are susceptible to cybersecurity attacks. A report from a cybersecurity protection organization stated that a majority of high-risk scenarios that occur in health care entities were due to unsecure laptops. These unsecured laptops can lead to massive data breaches and can result in hefty fines imposed by the Office of Civil Rights. Proper encryption, tracking software, and rarely leaving laptops unattended are a few ways that employees and organizations can help safeguard protected health information and prevent data breaches.
Deficiencies in data protection
Clearwater CyberIntelligence Institute, a company that started in 2018, works towards protecting patient safety against cybersecurity threats. A report conducted by the Clearwater CyberIntelligence Institute found that 70% of all high risk scenarios for laptop vulnerabilities in hospitals and health care systems are due to three issues: (1) endpoint data loss, (2) dormant accounts, and (3) excessive user permissions. Endpoint data loss is the largest vulnerability for laptops that hospitals and health care systems face.
There are numerous deficiencies that contribute to this significant vulnerability. The Clearwater CyberIntelligence report found that nearly all of the laptops in the study (roughly 99%) had deficiencies in locked down external ports, such as USB, CD, and DVD ports. These deficiencies prevent users from exporting sensitive patient information to external storage drives. Additionally, more than half of the laptops (around 63%) have deficiencies in which users are storing data locally instead of accessing the organization’s data through secure desktop software. Finally, around 53% of the laptops have deficiencies in data loss prevention tools. These data loss prevention tools are created to screen all communications in order to prevent sensitive data from being sent to unauthorized individuals.
Similar to the Clearwater CyberIntelligence report, the Department of Health and Human Services (HHS) found that over one third of all data breaches that occurred in hospitals or health care systems in 2017 involved either a laptop, mobile device, or a desktop computer. All of the data breaches reported to HHS involved unsecured health information, affecting over 500 individuals.
Implications for health care systems
What does this all mean in terms of protected health information? Having unprotected laptops can lead to major data breaches, which can end up in hospitals and health care systems owing a significant amount of money in penalties to the Office of Civil Rights for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In 2018, the Office of Civil Rights settled ten cases and secured one judgment, which totaled up to $28.7 million.
For example, in June 2018, an administrative law judge for HHS ruled in favor for the Office of Civil Rights against the University of Texas MD Anderson Cancer Center (MD Anderson). MD Anderson was ordered to pay $4.3 million in civil monetary penalties for their HIPAA violations. The Office of Civil Rights investigated three separate incidents with MD Anderson following their mandatory breach reports for 2012 and 2013. In one of the incidents, an unencrypted laptop was stolen from the home of an MD Anderson employee. Although MD Anderson did have encryption policies, their own risk analyses showed that their lack of device-level encryption posed a high risk to protected health information security.
How to secure laptops and prevent further data breaches
Organizations and risk management companies have numerous tips in order to protect laptops from cybersecurity threats. The first tip is to protect the laptop itself. Encryption, keeping records of encryption, and using strong passwords significantly help safeguard protected health information. Additionally, using software that tracks the location of the laptop and having clear-cut policies on how to secure laptops are imperative for laptops that will be used by employees regularly working with protected health information and patient data.
Laptops should also rarely be left unattended. If the laptop is left unattended, it should be locked with a laptop security cable. If going through airport security, the laptop should be kept with the person up until the very last minute, visually track the laptop, and get it as soon as possible. Furthermore, if a person is staying in a hotel, the laptop should be locked in a safe or it should be taken with the person. The laptop should never be left in a car and laptop bags should not be used; instead, a bag should be used which conceals the fact that a laptop is in it.