Two laptops have been stolen from employees’ personal vehicles in the past month, increasing concerns about data security.
“The problem isn’t just the cost of missing equipment, but there is a high probability for these devices to contain HIPAA-protected information, student records, employee information or research data,” said Georgia Health Sciences University Chief of Public Safety Bill McBride.
Several federal and state laws and regulations protect this data. The Health Insurance Portability and Accountability Act provides federal protections for protected health information, and specifies administrative, physical and technical safeguards to ensure the confidentiality, integrity and availability of electronic health records. Student records are protected by the Family Educational Rights and Privacy Act and research data also must be protected. Georgia’s Identity Theft Law covers employee information.
“All these regulations hold our workforce and students as well as GHS accountable for ensuring that these rights to privacy are protected,” said Christine Adams, Enterprise Privacy Officer for Georgia Health Sciences University & Health System. “There are increased risks for financial and reputational harm as well as enhanced penalties when protected data are at risk.”
If a violation is egregious enough – for example, if the institution is willfully neglectful of patient privacy – government fines can reach $1.5 million per year. In February, the U.S. Department of Health and Human Services fined Cignet Health Care of Temple Hills, Md., $4.3 million for violations of the HIPAA Privacy Rule.
McBride says that while older laptops may still be vulnerable, his office has had nearly 100 percent success in recovering new laptops stolen from the institution, as all new laptops are equipped with CompuTrace, a location-tracking application.
“As soon as they ping the Internet, it tells us where they are. That’s usually enough for a judge to issue a search warrant, then we go get the equipment,” he said.
Adams said that the application allows the institution to remotely wipe the hard drive, if necessary.
“But that software only works if the department works with IT to install it,” she said.
One computer was recovered at the home of the mother of a former patient, who had given it to his mother as a gift.
“She wasn’t very happy,” McBride said.
The Office of Public Safety recommends that employees and students keep all enterprise or personally owned technology properly secured and out of vehicles, and that includes the accessories that go along with the gadgets. A visible GPS mount or iPod charging cord may convince a thief that expensive electronics sit in the glove compartment.
Both of the recent thefts have taken place off campus. But Adams’ office receives several reports of missing, lost or stolen equipment on GHS property every year, so employees shouldn’t alter their security compliance.
“Compliance is about doing the right thing, being ethical, being proactive and following the regulations,” she said. “It’s imperative that all missing, lost or stolen devices, even personally owned devices, are promptly reported to local law enforcement or with Public Safety.”
It’s also about being street smart, McBride said. As the calendar creeps closer to the holidays, temptation will rise: “Thieves will be out Christmas shopping, and they don’t typically carry money.”
November is GHSU’s Compliance Awareness Month. All GHSU workforce and students must complete online training modules including a lesson on equipment and data thefts by Nov. 30. The health system will roll out compliance training in January 2012.