DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
The HHS 405(d) Program is a collaborative effort between The Health Sector Coordinating Council (an organization representing the primary healthcare subsectors of direct patient care; public health; health plans and payers; pharma, blood and labs; medical technology; health information technology; and funeral homes and mass fatality managers) and the federal government to align healthcare industry security practices.
The 405(d) Task Group developed Health Industry Cybersecurity Practices: Managing Threat and Protecting Patients, its first official Task Group product and publication. Health Industry Cybersecurity Practices are given the acronym HICP.
The Health Industry Cybersecurity Practices: Managing Threat and Protecting Patients document has identified the top five cybersecurity threats facing the healthcare sector.
Threat # 3 is lost or theft of equipment or data. This article discusses this threat.
What is Loss or Theft of Equipment or Data?
Mobile devices such as laptops, tablets, smartphones, and USB/thumb drives are lost or stolen every day, and end up in the hands of attackers. Although the value of a device represents a single loss, the consequences of losing a device that containing sensitive data such as PHI are far greater. In cases where the lost device was not appropriately safeguarded with practices such as multi-factor authentication (MFA) or other encryptions, the loss may result in unauthorized or illegal access, dissemination, and use of sensitive data. Even if the device is recovered, the data may have been erased and completely lost. Loss or malicious use of data may result in business disruption and compromised patient safety, and may require notification to patients, applicable regulatory agencies, and/or the media.
What Can Cause Loss or Theft of Equipment or Data?
- Lack of awareness that theft of IT assets is nearly as common as car theft
- Lack of physical security practices; open offices and poor physical access management
- Lack of simple safeguards such as computer cable locks to secure devices within office environments
- Lack of asset inventory and control
- Lack of encryption; data at rest is data stored on a hard drive at any location
- Lack of effective vendor security management including controls to protect equipment or sensitive data
- Lack of “End of Service” process to clear sensitive data before IT assets (including network connected medical devices) are discarded or transferred to other users or other organizations
- Lack of authentication to prove user identity
What Measures Can an Organization Implement to Protect Against Loss or Theft of Equipment or Data?
- Promptly report loss/theft to designated company individuals to terminate access to the device and/or network
- Encrypt sensitive data, especially when transmitting data to other devices or organizations.
- Encrypt data at rest on mobile devices to be inaccessible to anyone who finds the device
- Implement proven and tested data backups, with proven and tested restoration of data (4.M.D) · Acquire and use data loss prevention tools
- Maintain a complete, accurate, and current asset inventory to mitigate threats, especially the loss and theft of mobile devices such as laptops and USB/ thumb drives
- Define a process with clear accountabilities to clean sensitive data from every device before it is retired, refurbished, or resold.
- Implement a safeguards policy for mobile devices supplemented with ongoing user awareness training on securing these devices
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article