It’s inevitable. The phone rings at 6 a.m. and the caller ID indicates it’s one of your doctors. You cautiously answer the phone expecting to hear that a system is down or slow, but if only that were the case. It is much worse; a laptop was stolen from their car. Then comes the million dollar question. “Did you have any Private Health Information (PHI) on your laptop?” you ask. “No I don’t think so... I mean maybe, well probably, just a little bit” the doctor replies. Translated, this means that they have no clue what was actually stored on their computer and at 6:05 a.m. your day has already been ruined.
The passage of the HiTech Act not only provided us with a meaningful use definition, it also had significantly more stringent HIPAA breach notification requirements and penalties. A breach is defined as the acquisition, access, use, or disclosure of unsecured PHI which is not permitted by the HIPAA Privacy Rules and compromises the security or privacy of the PHI. This means that a laptop filled with PHI is a huge liability for an organization, especially if more than 500 patients are impacted. If that happens, you are required to alert the major media outlets and or post the breach prominently on your homepage.
Before you resign or start looking for a new line of work, there is one provision that I like to refer to as the “Get out of Jail Free Card,” and that provision is safe harbor. What safe harbor effectively states is that it is not a breach of the HiTech Act if the PHI is rendered unusable, unreadable, or indecipherable to non-authorized users by use of an encryption technology. So, a laptop that has been encrypted using full disk encryption is no longer a liability to the organization regardless of the PHI that it contains, and for this reason my organization, Resurgens Orthopaedics, immediately started the process of implementing this technology.
There are a number of different ways to approach full disk encryption, but it really depends upon a few key factors, including: size of organization, physical disparity of organization, consistency of hardware, and management overhead for IT staff. If you are a small organization, you might be able to simply use the built-in technology from your hardware provider. For larger organizations, you will need an emprise class offering that will enable your help desk to manage this encryption centrally. For Resurgens Orthopaedics, we had an extensive vendor selection process that ended with our selection of McAfee’s Endpoint Encryption product. We liked the interoperability with other platforms, the centralized management and it has one of the largest install bases for full disk encryption.
We have completed our rollout and have been very pleased with the implementation and use of the product. There are some key caveats that you need to be aware of when rolling out any full disk encryption software. For example, make sure you indentify users, especially of shared computers, and ensure the users are aware of the default password for logging in if you use single sign. Most importantly, ensure that you test the hard drives for bad sectors prior to deployment, otherwise you could be left with a dead drive and no data. The full disk encryption process is pretty resource intensive, and also writes to the entire drive, so a drive that is starting to fail or a drive that has bad sectors on it will cause significant issues.
It is clear that despite the cost and risks associated with implementing full disk encryption, the risk of not having it is significantly greater, especially with the new fines that have been imposed for breaches. If you don’t believe me, just ask Health Net, which is currently being sued by the attorney general of the state of Connecticut for losing a hard drive with unencrypted PHI on it http://www.ct.gov/ag/cwp/view.asp?Q=453916&A=3869 and see if it has rolled out full disk encryption. The new sanctions and penalties imposed by HHS begin Feb. 22, 2010, so the bottom line is that if you don’t already have a full disk encryption project in the works, you need to. Then you too can be swimming in safe harbor.
-- Bradley Dick is Chief Information Officer at Resurgens Orthopaedics in Atlanta.
