Physical Security

While recent studies have found a marked increase in technological attacks against healthcare providers,2,26 the danger presented by the physical loss or theft of devices with PHI on them has been pronounced for years. A 2014 study of data breach information found on HHS’ Wall of Shame27 noted 68% of all healthcare industry breaches since 2010 came about as a direct result of lost or stolen devices.28 While malware attacks have definitely been on the upswing, only 23% of the breaches in that study took place as a result of the electronic theft of data from a compromised computer network. Statistically speaking, your practice can get robbed just as easily as it can be hacked.

Your office itself will be most at risk from an after hours intruder or someone who has effectively smooth-talked their way inside the office… but shouldn’t be there. Once he or she is physically inside the office, an intruder can directly access your computer network (and the PHI stored on it) via a server or client computer using just a USB drive. Or, if it’s an after hours intrusion, they can simply steal a computer and take the data from it at their leisure. The effect of even one stolen computer can be devastating. One Missouri dental practice was actually bankrupted after a desktop computer (with over 9,000 patient records) was stolen in 2010.29

While desktop computers typically stay in your office, laptops and other devices can be lost or stolen from just about anywhere. Leaving your laptop (or any mobile device) unattended even for a few minutes in your car, on public transit or at a coffee shop, etc. is highly unwise. One example of what can happen next (among too many to count) involves a Massachusetts provider hit with $1.5 million HIPAA fine due to the theft of a single laptop from a car.30 Another one involves the former head of Britain’s MI5 intelligence agency, whose laptop was stolen at Heathrow Airport in 2012.31 It really can happen to anyone.

What can you do to minimize this risk? Here are a few steps that can help:

  1. Prevent potential attackers from being able to physically access the computers in your office. Whenever your office is closed, all entrances should be locked and computers should be turned off. Your office’s server (or servers) should be kept in a locked room.
  2. Prevent them from being able to access the computer electronically. A password-protected screen-lock should be enabled on each computer in the office, with an engagement time of ten minutes or less (preferably less). That way, an intruder encountering a computer that’s still turned on won’t be able to simply start using it. Speaking of… passwords, user names and/or account numbers shouldn’t be written down anywhere obvious (on post-its, under the keyboard, in the top right-hand desk drawer, etc.). A thief will always look there.
  3. Use encryption to protect the data itself. If a thief has access to a computer that’s only password-protected, it’s fairly easy to access the data stored on it. Encrypting the data can prevent that. Moreover, under HIPAA and many state data breach laws, encrypted data is considered “secured” and the loss or theft of encrypted data from a laptop or desktop is not viewed as a data breach (so long as the corresponding encryption key hasn’t been taken, as well).8

The primary types of encryption used to protect the data on a computer’s hard drive are full disk encryption (FDE) and file-based encryption and they serve different purposes. FDE encrypts all of the data stored on a hard drive, but it’s only enabled when a computer is turned off. A decryption key is needed when the computer is turned on. Once the key is entered, all of the data is decrypted and the computer works normally until it’s turned off again. This type of encryption is effective when a laptop is lost or stolen… so long as it was turned off at the time. There are a number of full disk encryption products available,32 as well as built-in versions that can be enabled on Mac (FileVault)33 and commercial grade Windows (BitLocker)34 operating systems.

Encryption can also be file-based, encrypting individual folders, files, or even certain parts of files. While this is a slightly more involved process, it’s also more secure since it still keeps the data encrypted when the computer is turned on. Even if an attacker gets into the system, the data in question will be gibberish without the decryption key. There are numerous file-based encryption products available from many security vendors.35

Physically securing laptops, desktops and other devices with office data and PHI is one of the most productive things you can do to safeguard your practice.