The Concentra HIPAA Breach and Mobile Device Encryption

In a story covered on about HIPAA Breach in Healthcare IT News this week, the HHS Office for Civil Rights settled with two organizations for just under a combined $2 million this week after it was discovered that both had PHI-containing unencrypted laptops stolen. As OCR deputy director of health information policy Susan McAndrew pointed out, the large fines are meant to drive home the

point that unencrypted laptops and mobile devices pose significant risks to patients and must be corrected.The first and bigger of the two fines was levied against Concentra Health Services when it was discovered that an unencrypted laptop was stolen from one of its facilities. OCR made a particular note of the fact that Concentra, through a series of risk analyses over a period of years, had been put on notice that it was allowing patient information to be shared on unencrypted desktop computers, tablets, and mobile phones. Instead of correcting these deficiencies through a documented remediation plan, however, Concentra allowed the bad practices to continue despite the known Security Rule violations. In the end, OCR fined Concentra over $1.7 million for the breach and forced the healthcare organization to adopt a corrective action plan and work with HHS to fix the known issues.“Our message to [healthcare] organizations is simple,” McAndrew said. “Encryption is your best defense against these incidents.”

The Importance of Mobile Device Encryption

We’ve argued on this blog about how important mobile device encryption is for a healthcare facility, and the Concentra incident only bolsters our stance.  That said, implementation issues are always a concern for a healthcare IT executive, which could explain why healthcare organizations are slow to adopt technologies such as Encryption and Secure Texting that could potentially take millions of dollars of risk off of the table.

Encrypted Mobile Applications are the Future

Nevertheless, when the implementation is as easy as installing an encrypted mobile application on the phone and writing a policy requiring providers to only send PHI through that channel, an administrator’s job is just about done. In an age of dramatically increasing federal fines, it’s too easy to have a provider lose a mobile device and trigger a full-blown OCR investigation. Encrypt your endpoints and avoid being front page news.