Ok my blog isn’t dedicated solely to reporting breaches but another breach hit the news. Here is a statement from Indiana University:
HIPAA Risk Analysis requires any PCs that move around (i.e. laptop) be encrypted. This is item #1 on risks using laptops with ePHI on them. Bitlocker anyone?
A related article on the Health Data Management site said, “Password Protected but unencrypted laptop”. This means a File-system based, Windows or Linux local password is locking the PC. This can be circumvented within minutes – no matter how strong the password is.
How could Indiana University Health have mitigated their risk on this one? As part of a risk-management process, encrypting portable computers with ePHI on them and EDUCATION for its Doctors on this subject through AUP could help. It is time to start taking security seriously to avoid serious consequences!