April 23, 2024
Welcome back to another blog on Compliance Catastrophes: real-ish world examples of nightmare scenarios!
We’re going through the most common reasons for data breaches in healthcare and how your practice or business can stay safe.
Stolen devices in the workplace are one of the main reasons for a breach. According to the OCR, theft accounts for nearly 20% of large breaches (five hundred or more patients affected) over the past ten years.
A stolen device can quickly spiral into a HIPAA nightmare. That’s why devices need top-notch security for the safety of Electronic Protected Health Information (ePHI).
No question, ePHI needs protection. That’s why I’m here to remind you: when you have a device with it, stay alert!
Now, let’s see what happens when someone slips up and neglects their device protection responsibilities.
Let me reintroduce our friend, Compliance Cathy, she’s having a tough week!
Dinner with a Side of Disaster
After a long day at the practice, Cathy was ready to get home and see her friends for dinner. When Cathy was at the restaurant, she left her computer bag on her passenger seat, being way more focused on the meal she was going to devour. While her steak was a perfect medium rare, the situation outside was a recipe for disaster!
When Cathy got outside, her night was spoiled. Her car was broken into! She realized immediately what went wrong. Her work laptop was stolen. The worst part, her computer was unencrypted, meaning the thief had easy access to patients’ PHI at the practice!
Device Safety 101
First, if you don’t have to bring home your work laptop, don’t! There’s less liability if the device is stored properly at work.
Even if you leave it at work, make sure it is secure at all times. For instance, at your practice or business, make sure the doors are locked when no one is at work and proper security is installed, like alarms and cameras.
Next, ensure all devices with PHI are properly encrypted. Encryption means sensitive data is unreadable for anyone except those authorized to view the information. Additionally, make sure strong password policies are in place. No more Password 123! Your friends at Abyde recommend that passwords must be at least 8 characters, including a number, an uppercase letter, a lowercase letter, and a symbol.
Finally, make sure remote deletion is set up for all devices that have PHI, allowing you to use another device to wipe the stolen or lost device clean.
Keeping it Real
Stolen devices are a common compliance catastrophe, and the OCR has enforced fines for non-compliant practices.
Don’t believe us? Here’s a real-life example of a stolen device catastrophe. In 2020, Lifespan ACE, a Rhode Island healthcare system, was fined over a million dollars when an employee’s car was broken into and an encrypted laptop was stolen. We’re not just making this stuff up!
If you find yourself in a situation like Cathy’s, immediately alert the authorities of the theft. Contact your workplace and IT department, following company procedures.
See if your practice has remote deletion in place, wiping the stolen device. Your IT partner will likely handle all remote deletion and encryption of sensitive data. Some companies provide these services specifically for healthcare. We’re more than happy to point you in the right direction when it comes to your compliance journey, so just reach out if you’re looking for the right services for your practice or business.
Of course, ensure this breach is logged into your Abyde software and reported to the OCR.
With the right protocols, you can prevent and mitigate a stolen device.
While Cathy’s filet mignon dreams were burnt to a crisp, that doesn’t have to happen to you. To learn more about device safety, email us at info@abyde.com and follow us on social media for the latest news!