Pamela Lewis Nolan reports:
Often the biggest threat to your practice and patient data is not an outside hacker or a snooping employee — it’s somebody’s forgetfulness.
[…]
Credant Technologies, a Dallas-based data protection solutions company, noted in a 2008 survey that although more than a third of health care professionals store patient data on laptops, smartphones and USB memory sticks, most do not adequately secure the data.
[…]
Encrypting the data can eliminate the HIPAA obligation to notify patients of a lost device, under a provision that allows an exception if the data cannot be accessed. But in most cases, encryption is not being done.
The Healthcare Information and Management Systems Society, in a survey released in November 2009, found that despite the strengthening of HIPAA regulations, health care organizations have made relatively few changes to their security policies and procedures. For example, only 39% reported using mobile device encryption.
Read more on American Medical News.
It does not really ring right with me that simply because the data was encrypted, people do not need to be notified. Even the most top notch data protection measures cannot ALWAYS assure that the encryption is insurmountable. Sometimes encryption can be as simple as a RAR file that can be brute force hacked…