skip to: page content | links on this page | site navigation | footer (site information)
logo
Your gateway to HCAR breaking news and archived articles.
New and recent articles covering technology for clinicians, including OASIS, point-of-care, training and more.
Management and operational perspectives; finance, PPS and billing; budgeting for technology; reporting and analyzing data.
News from Congress and CMS, states, and RHHIs and other payers.
What’s hot, what’s not; what’s coming and what’s passé; hardware/software news and reviews.
Who’s buying, who’s selling, partnerships, product announcements, mergers and acquisitions among vendors and providers.
News and features about remote electronic monitoring; the products, vendors and users.

Stolen Laptop Raises Security and Liability Questions


advertisement

Developing story serves as a harbinger to take security seriously

It was a quiet, low-crime neighborhood. It still is, to tell the truth; relatively affluent too. Residents know each other and the streets feel safe at night. Perhaps that in itself is what attracts gangs from larger cities. They have been showing up quite regularly lately and they seem skilled enough to be able to get into locked, occupied structures, take what they want and leave without detection.

First, they broke into cars in business office parking lots during the day while the offices were filled with people. Finally, it was an unlocked car inside a locked garage at the quiet, suburban residence of a home care nurse, while she was there. She thought her new laptop and a stack of paper visit documents would be perfectly safe, tucked away in the trunk, while she attended to children and dinner. Instead, her employer is now in danger of civil and criminal penalties for possibly exposing patient information.

Why This Incident is Important
What make this particular security incident of interest? It is certainly not the first time that a home care clinician's laptop has been lost or stolen. This incident occurred and is unfolding in California, the only state with a law requiring organizations to disclose security breaches to all affected parties.

Under SB 1386, a California law enacted in September 2003, any business having personal information on state residents must promptly disclose security breaches that could lead to identity theft. It is this law that triggered ChoicePoint's disclosure of the massive security breach it uncovered last fall, and dozens of other incidents impacting millions of individuals that have come to light since the law was enacted just 18 months ago. This is the law that is being emulated in legislation being considered by more than 20 states as a result of the recent rash of security incidents. It is the law that Senator Diane Feinstein (D-CA) is trying to replicate on a national level.

HCAR will follow this story as it unfolds. It will be an object lesson for other agencies regarding the dangers of suffering a security breach. The affected home care agency has agreed to provide us with ongoing detail on the condition that it not be named, hoping that the very act of making its situation public will spur others to take preventive measures. This incident truly is a harbinger of what is to come should similar laws be enacted at a state or national level (see HCAR, March 2005, page 1).

Truth and Consequences
For now, the agency can do little more than wait to see if the thieves are smart enough to figure out the laptop's home care software application and harvest patient information. Even though that is not likely -login to the operating system is password-protected and encoded patient data can only be accessed through the Patient Care Technologies application, which is protected by another login routine - there is still the matter of the paper records which were stolen along with the computer. Possible repercussions may include incidents of ID theft and subsequent victim complaints.

The agency may be at risk even if the data is secure within the laptop. ID theft randomly affects approximately 10% of the population. If a patient of this agency falls victim to ID theft from an unrelated, unknown incident, and if the laptop theft becomes widely known, there is nothing to prevent the patient/victim from accusing the agency of being the source of the breach. The agency would have no choice but to defend itself. Not only would the defense be expensive, even if successful, any resulting publicity might lead to negative reactions among referral sources.

Patient/victim complaints can be addressed to HIPAA enforcers, the state, directly to civil courts or to all three. Since this incident occurred before the HIPAA Security deadline, federal complaints would go to the Office of Civil Rights (OCR) under the HIPAA Privacy rule, not to CMS. (See sidebar, "CMS Announces Complaint-Driven Security Enforcement," p. XX.) Needless to say, any combination of the above would be expensive, possibly beyond what the agency can bear.

Whether a victim of an unrelated ID theft incident, or his or her attorney, would be aware of the laptop theft depends on state disclosure laws and the agency's own policies. In this case, the agency immediately attempted to alert its affiliated hospital's Privacy Officer, apparently an extremely busy individual, for guidance. The earliest available meeting time was four days later, only that soon because the home care administrator was willing to schedule a ten minute meeting at 7:30 AM. Upon hearing the details, the officer determined it would be necessary to notify OCR and accept the risk that the enforcement agency might use the report as a reason to initiate a wide-ranging privacy inquiry with the hospital.

Assessing its Security Controls
In the midst of waiting for the other shoe to drop, the agency wonders what else it could have done to prevent such an occurrence. While preparing to comply with HIPAA Privacy and Security regulations, the agency had already put a number of safeguards in place. It established a policy that laptops and all paper with identifying patient information must be kept in car trunks rather than on car seats. It made sure consequences to policy violations were established and made known to all staff.

Since the incident, the agency has upped the ante. "Now we tell the story of the theft at all point-of-care software classes and instruct clinicians to treat the computer like a baby," the acting administrator explained. "If it's 10 degrees or 100 degrees outside and you wouldn't leave a baby in the car for 10 minutes, don't leave the computer in the car. If you're going into a store or the post office or a laundromat in the middle of your shift, take the computer with you. We bought the smallest notebook computers Fujitsu makes, and they're a lot lighter than a baby." Clearly, she added, trunk locks are no deterrence in a town where car theft is much higher than the national average.

Prior to establishing this policy, the agency acknowledges that its staff was a bit casual regarding privacy and security controls. Management often witnessed visit paperwork lying, face up, on car seats. On one occasion, a nurse was rushed out to the parking lot to close her car's trunk. She had put the paper where it belonged all right, but forgot the final detail.

The nurse who lost a laptop and some paperwork from her trunk inside her garage had done everything possible, short of locking her car while it was in her garage, which may not have slowed the thieves down anyway. Such extreme incidents of thieves with extraordinary skills are nevertheless considered by the HIPAA Security Rule. Recognizing that laptop computers will be lost or stolen from time to time, the regulation specifies that administrative, physical and technical safeguards be put in place to minimize the risks associated with such incidents.

About Us | Site Map | Privacy Policy | Contact Us | ©2005 Stony Hill Publishing