“To help prevent something like this from occurring in the future, we are expanding our use of encryption on portable devices and re-educating our workforce members regarding the importance of handling patient information securely,” the medical school statement said.
There have been 525 breaches involving the records of more than 500 patients publicly reported on the website of the Office of Civil Rights at HHS and perhaps as many as 80,000 lesser breaches reported to the office since a federal breach notification law went into effect in September 2009.
Of the larger breaches, 42% have involved some sort of unencrypted mobile device.
The security rule under the Health Insurance Portability and Accountability Act does not mandate encryption, but if the healthcare industry keeps going on its current path and not securing mobile devices, it might, said Michael “Mac” McMillan, founder of CynergisTek, an Austin, Texas-based security firm.
U.S. Sen. Al Franken (D-Minn.) held hearings last year on healthcare-records security and has said he plans to reopen them this year, McMillan said.
“If they really want Franken to crawl up their backside, that's certainly giving Congress the ammunition they need to say, 'You know, this isn't working. We need to make encryption mandatory,' ” McMillan said. “I think that's inevitably what's going to happen.”