The Ponemon Institute estimates that at least one laptop is stolen every minute, and nearly half of all healthcare breaches occur because of a stolen device. If valuable data, like patient information or credit card numbers, stored on a healthcare provider’s laptop is accessed and sold, the provider could face fines, expose business secrets, or endure class-action lawsuits.
One effective but underused technological shield healthcare providers can wield against modern-day security attacks is encryption: usually free, readily available, and virtually impenetrable. Consider this historical example: it took Allied forces a decade to decrypt intercepted, Enigma-encrypted German messages during World War II. Had the Germans been able to use today’s technology, decryption would instead have taken trillions of decades.
What is device encryption?
Encryption is the process of taking something readable and altering it to make it not readable. For example, encryption can scramble patient information stored in a word document so that any unauthorized copies of that file won’t be readable. In order to make it readable again, it can usually be decrypted in one of two ways:
- By developing a machine or process that cracks through the encryption or figures out the decryption key (brute force) or
- By obtaining the decryption key
Developing a process for a brute force attack requires too much time. Instead hackers and thieves know that tricking a targeted employee into giving away the decryption key can be easier and quicker.
How do I encrypt?
Before protecting the information from attacks, healthcare providers must first know whether their systems are encrypted. I asked an IT professional for advice regarding digital security:
Q: We know that encryption is important, but why isn’t a system password enough?
A: Providers can think about security like placing layers of defense around the thing they want protected. The outermost defense could be physical security, which might include a simple but effective policy of locking the doors and closing the windows when devices are left unattended.
Next, of the core layers of defense, you may have your laptop protected with a password. This barrier can prevent a thief from using the laptop or accessing the hard drive. However, the thief at this point could use social engineering – the use of deception to manipulate individuals into divulging confidential or personal information for fraudulent purposes – to learn or guess the password and steal data from the hard drive. Once the password is known, everything on the computer can be exploited if nothing is encrypted.
On the other hand, encryption is more permanent. Even if an encrypted hard drive were stolen, information on the hard drive is forever unreadable without the necessary decryption key. The thief must know the decryption key in order to access or exploit anything on the laptop because he might never be able to brute-force hack through the encryption measures.
Q: What kinds of encryption processes are there?
A: There are two that every provider should know, referred to commonly as full-disk and file-level encryption. A full-disk encryption protects the entire device like a laptop or cell phone. It prevents the device from being used and the files from being read. File-level encryption is more specific to the file and provides an extra layer of protection. The user can select which files need extra protection.
For example, if an unencrypted but sensitive file gets accidentally emailed, the receiver would be able to open and view the file. If the file were encrypted on a file-level basis, the receiver would be unable to view the file, thus limiting liability due to unauthorized access.
Q: How can we encrypt our devices?
A: It all depends on your system, but most healthcare professionals that have little or no IT support will find it is quite simple to do. Both Windows OS and Mac OS users have access to free, online resources.
Risk Management Recommendations
Whether your practice uses Windows OS or Mac OS, you can encrypt your devices today. For more information regarding Windows OS encryption, click here and here. For more information regarding Mac OS encryption, click here. It is important to check your current system configuration in order to find the resource that best fits your IT needs.
Additionally, every practice should implement a device security policy to educate employees on how to store and secure devices. The policy should delineate how to appropriately use the device in order to reduce the likelihood of unauthorized access, such as locking the device screen when leaving it unattended. The policy should also instruct employees on how to detect social engineering and avoid divulging clues to strangers about the decryption key. Providers should also develop and maintain a current inventory of all devices containing or that have access to PHI or other sensitive information.
For more information, please contact the LAMMICO Risk Management and Patient Safety Department at 504.841.5211.