Audit finds hundreds of hospital's laptops lacked proper encryption

Tools

A deputy state auditor from Iowa has reported that about half of more than 500 laptops issued to University of Iowa Hospitals and Clinics employees last summer did not have the encryption software necessary to protect sensitive information, the Press-Citizen reported.

On Monday, an auditor's office report conducted from May 28 to July 30, 2012 was released; it showed that the lack of encryption, which would render the data unintelligible to unauthorized users if stolen, could compromise data like patient registrations, scheduling and billing information.

Deputy State Auditor Andy Nielsen said the laptops, although password-protected, wouldn't be hard to hack into for the tech-savvy. HIPAA rules state that password protection is not protection enough, and that all portable electronic devices containing sensitive patient information must be encrypted.

The audit was conducted in conjunction with an annual audit of UIHC's financial statements, Nielsen said, and in UIHC's response to the report, officials wrote that their existing policy of requiring that sensitive data stored on devices be encrypted only occurs "when technically possible."

"Encryption and destruction--like shredding papers--are the only methodology for rendering what we call ... protected health information ... unusable, unreadable and indecipherable to anyone who's not supposed to be looking at it," Rachel Seeger, spokeswoman for the U.S. Department of Health & Human Services Office for Civil Rights, told the Press-Citizen. She would not comment on whether UIHC's case was a HIPAA violation. 

The auditor's office pointed out that it would be UIHC's responsibility to respond to the risk.

Unsecured laptops have put patient information at risk in medical centers across the U.S. time and again. Earlier this month, the Washington University medical school sent letters to about 1,100 patients after a surgeon's laptop was stolen from a lecture hall during a conference in Argentina.  

Data breaches cost healthcare entities $7 billion annually, according to a report published in December by the Ponemon Institute and the Health Information Trust Alliance.

To learn more:
- read the article from the Press-Citizen

Related Articles:
Info for 57,000 patients at risk after laptop stolen from Lucile Packard
Stolen laptop put data at risk for 1,100 Washington University students
Thousands of Social Security numbers compromised in California data breach
Data breaches cost healthcare entities $7 billion annually