Medical school stresses importance of computer encryption

istockphoto.com

Thieves cannot view data, including protected health information, on computers and other electronic devices that have been encrypted.

A physician taking a red-eye flight to a conference on the East Coast stows her laptop in the airline's overhead bin, then closes her eyes to get some rest. The next morning, she arrives at her hotel, suddenly realizing she has left behind her laptop, containing detailed data on dozens of her patients.

She calls her medical center's information technology department in a panic. "Was the laptop encrypted?" is the first question she is asked.
If so, the data will be scrambled — and completely unintelligible — to anyone who finds the laptop. Since thieves can't access the data on an encrypted computer or mobile device, the missing laptop essentially becomes a nonevent.

"That is why encryption is such a necessary thing in a health-care setting," said Michael Halaas, chief information officer for the School of Medicine. "Many other steps must be taken to protect data as well, but with encryption, the device is essentially a brick if it is lost or stolen."

In this age of portable and dispersed data, a growing number of health-care businesses and other organizations are trying to update to the latest encryption technologies to ensure that confidential information about patients remains fully protected. The development comes at a time when the number of cases involving theft or loss of patient data is on the rise, with hundreds of thousands of patients nationally having been notified of a potential breach, most often as a result of laptop theft or loss, according to reports filed with the federal Department of Health and Human Services' Office for Civil Rights.

Under the Health Insurance Portability and Accountability Act and the Health Information Technology Economic and Clinical Health Act — the cornerstones of national patient privacy and security rules — any device carrying protected patient information must be appropriately secured. Encryption is the critical "safe harbor" approved by the HHS Office for Civil Rights for this purpose. When the law first went into effect, sophisticated encryption technology did not exist and the concerns about patient privacy were different, said Marcia Cohen, senior dean for finance and administration at the School of Medicine.

"Then, we were concerned about discussing patient cases in the elevator or the hallways or the disclosure of protected patient information in the classroom or faxing information to machines in public areas," Cohen said. "But now what we're most concerned about is the proliferation of mobile devices, including laptops, iPhones and iPads that can store protected health information. So we want to make sure they're all encrypted and backed up. And in the event they are lost or stolen, Stanford has now developed new technology to verify immediately that the device is encrypted. So now there are better systems available to detect that."

Henry Lowe, MD, the school's senior associate dean for information resources and technology, said a growing number of academic medical centers are looking to modern technology for computer encryption, which can be a complex undertaking requiring major institutional support.

"The university's policy is that all devices that store protected health information must be encrypted," Lowe said. "We are providing the technology and support to make sure we have full compliance with this policy and that protected health information is indeed protected."

Incidents involving potential loss or exposure of protected health information have become increasingly common in recent years, with more than 543 reported incidents since 2010 of major breaches — those involving 500 or more individuals — at hospitals, health plans, clearinghouses and business partners, according to Health and Human Services. For example, last year Emory University Hospital, in Atlanta, reported the loss of 10 computer hard disks used to store information on more than 315,000 surgery patients, including patient names, diagnoses and procedures, and in some cases Social Security numbers, according to the university.

The largest-ever reported case involved the U.S. Department of Veterans Affairs, which reported the theft of a laptop and hard disk in 2006 containing personal data on 26.5 million veterans and active military personnel. The VA responded with a sweeping overhaul of its information-technology organization, a series of new reporting regulations and a requirement that all laptops be encrypted.

The majority of these incidents result from theft of laptops and other portable electronic devices, with repercussions that can be far-reaching and costly.

Both California and federal laws mandate notice of a breach to affected individuals and government authorities. In addition, for a breach involving 500 or more patients, the incident must be reported to the California Attorney General's office and to the HHS Office for Civil Rights, both of which publicly post incidents on their websites. Institutions also may be subject to substantial fines and become vulnerable to lawsuits resulting in multimillion-dollar damages. In the VA case, for instance, the federal agency paid as much as $20 million for credit-monitoring expenses and other damages to the victims, even though the computer later was recovered with the data intact, according to information provided by the VA.

"People spend more time protecting their wallets than their devices," Halaas said. "But depending on what's in the device, the impact could be significant."

Incidents also may have consequences for the individual involved. At Stanford, for instance, a faculty or staff member who loses a device containing patient information, or has one stolen, may be subject to serious corrective action, depending on the circumstances, Cohen said.

If, however, the laptop or mobile device was encrypted in accordance with federal standards, the incident becomes a nonevent; no reporting is required, and the data remains secure. At Stanford, all encrypted devices are also backed up so that the critical data can later be retrieved and restored. There are strict policies in place to prevent unauthorized access to these backups. All requests to access a backup must first be reviewed and approved by the school's privacy officer, Lowe said.

He said contrary to what some believe, encrypting a computer does not make it slower, unstable or more likely to crash. "These are no longer significant concerns with modern encryption technologies running on modern computers," Lowe said.

He said the technology is constantly evolving, with the time approaching when most computers and mobile devices will be pre-encrypted before they hit store shelves.
"I believe that very soon that will be a standard feature of computer technology," he said.