Healthcare IT News – Mike Miliard, Managing Editor, WASHINGTON | April 23, 2014
Serving notice that “covered entities and business associates must understand that mobile device security is their obligation,” the HHS Office for Civil Rights has settled with two organizations for a combined $1,975,220 penalty after their unencrypted computers were stolen.
[See also: Why does healthcare resist encryption? ]
That’s a big number. And that’s because it’s meant to drive home the point that unencrypted laptops and mobile devices pose significant risks to the security of patient information, said Susan McAndrew, OCR’s deputy director of health information privacy.
“Our message to these organizations is simple: Encryption is your best defense against these incidents,” she said.
[See also: OCR: 'Pay attention to details']
The biggest of the two settlements was levied against Concentra Health Services, after OCR opened an investigation following a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center.
The probe found that Concentra had previously recognized, in multiple risk analyses, that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information was a critical risk. <READ MORE>