The Problem:
It is almost inevitable that at some point a device will be lost or stolen from your company. And for covered entities in the healthcare industry, this is especially problematic due to HIPAA’s Breach Notification Rule.
According to the HHS.gov website “The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.“
This becomes an even bigger problem when a breach affects 500 or more individuals. In breaches this large, your organization is also required to report the breach to the media.
What is “unsecured protected health information?”
Stated by HHS, “Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.”
The Solution:
The best solution to prevent a breach in the case of a lost or stolen device is to use device encryption.
If you can prove that a device was encrypted when it was lost or stolen, a breach has not occurred and your organization does not have to report it.
This is because devices that are encrypted are unreadable by unauthorized individuals without the Recovery Key or User Login Credentials. For this reason, HHS does not consider encrypted devices, that have been lost or stolen, as a breach.
So the question is, are your electronic devices that contain ePHI encrypted? If not, the following section will guide you on how to encrypt your Windows Computers.
How to Encrypt Your Windows Computers:
*Note: This requires Windows 10 or 11 Pro (not Home Edition).
1. In your Windows Search Bar, type “Control Panel” and click on the corresponding App.
2. Click on “Bitlocker Drive Encryption”
- *Note: if View by: reads as “Category”, change it to “Large icons”.
3. Click “Turn on BitLocker”
4. Save the Recovery Key
You will then be prompted to back up your recovery key (this is used to decrypt the drive in the instance that the computer’s TPM chip malfunctions and does not decrypt the drive for you upon startup and login). Any of these options are okay. Just make sure you save the Recovery Key in a safe place that you can get to if you need it in the future. Choose any of the following:
- Save to your Microsoft Account (or Azure)
- This option will save the Recovery Key within your Microsoft Personal Cloud Account or your Corporate Azure AD account.
- Save to File
- This option allows you to save the Recovery Key to a separate, unencrypted, locally attached drive.
- Print the recovery key
- This option allows you to print the Recovery Key.
5. Proceed through the prompts with the suggested defaults.
- Once you get through the prompts, you will get a dialog box or a notification in the bottom right hand corner of your screen that your hard drive is being encrypted.
7. Leave your computer turned on until the encryption process is complete.
- You can then restart your computer to make sure that you are not greeted with the BitLocker Recovery Screen.
*Special notes about BitLocker Encryption:
- You must have Windows 10 or 11 Pro.
- Your device must be equipped with a Trusted Platform Module chip (TPM). Otherwise you will have to enter a password or the Recovery Key from BIOS every time you boot the computer (which can be a pain in the butt).
Final Thoughts:
Even though HIPAA’s Security Rule considers device encryption as “addressable” and not “required“, you are going to save your covered entity a lot of heartache if you go ahead and put this technical safeguard in place. Especially for mobile devices such as laptops and smartphones.
As a side note, if your staff has mobile devices with ePHI on them via Microsoft 365 applications such as Outlook for email or OneDrive for file storage, your IT department can implement Mobile Application Management (MAM) for personal devices (BYOD) and Mobile Device Management (MDM) for corporate devices via Microsoft Intune. Microsoft Intune allows administrators to enforce device encryption, PIN requirements and device health checks, such as requiring the devices to meet a certain security patch level and to not be Jailbroken or Rooted (Hacked).
If you need help with anything listed above, we would be happy to assist. We locally serve small medical practices in the Knoxville, TN area. Please feel free to call us at 865-888-9942 or email us at Support@VictoryTechnology.com
To see a full list of our services, please visit VictoryTechnology.com
We hope that this article has given you some value. If there is another topic that you would like for us to cover, please feel free to send us suggestions. Thank you!
2 Responses
Great content! Keep up the good work!
Thank you for the kind words! We’ve got a really good one coming out here in a view days. It will diagram the most common attack chains that hackers use to get to your sensitive data, and the safeguards you can put in place to stop them. Stay tuned!