This entry is part 42 of 60 in the series HIPAA Security Risk Analysis Tips

Virtually every organization on the planet has deployed mobile devices into their operational delivery models. Laptops, of course, are a commonly used device and have single-handedly accounted for some of the single biggest breaches reported to DHHS/OCR. For example, consider the AvMed Insurance (1.2 million individuals affected) and Advocate Medical Group (4.0 million individuals affected) in which unencrypted laptops were stolen.   Here’s today’s big RISK ANALYSIS TIP – Just A Few Laptop Risks 

HIPAA Risk Analysis Tip – Just A Few Laptop Risks

How Many Possible Laptop Risks Can There Be?  Lots!!

They AvMed and Advocate Medical Group are both great cases BUT they both represent the very tip of the iceberg in terms of laptop risks.  Remember risk exists when and only when we have a “triple” comprising an asset, a threat and a vulnerability.  So, if we stipulate that a laptop with ePHI is our asset, how many risks must we consider?  That is, how many threats and how many vulnerabilities must be considered.

laptop_data_breach_iStock_000015066702XSmall_400x300

In the AvMed and Advocate cases, thieves (threat source) exploited the lack of encryption (vulnerability) on the laptops, presumably gained access to ePHI (compromising confidentiality) and created harm (legal, reputational, financial, regulatory, etc) to both the organizations responsible for the ePHI (legal, reputational, financial, regulatory, etc) and to the individuals (possible identity theft, medical identity fraud, etc).

There are other risks that these organizations should have / would have considered as well if they had done a rigorous risk analysis of this asset / media type. Recall, risk needs to be analyzed when and only when we have an an asset-threat-vulnerability “triple”. Following are a few other laptop-threat-vulnerability “triples” served up to help stimulate your thinking about the many threats and vulnerabilities that one must consider:

  1. Laptop with ePHI-Employee-No Data Backup – consider an employee accidentally dropping a laptop resulting in a hard drive failure. The accidental threat source exploited the weakness of not backing up the laptop, resulting in lost data or a compromise of the availability of ePHI possibly resulting in inability to delivery care.
  2. Laptop with ePHI-Snooper-No Privacy Screen – consider your employee reviewing patient charts on their laptop on a plane, with a person behind them viewing the ePHI. The adversarial threat source exploited the weakness of not having a privacy screen on the laptop, resulting in unauthorized and impermissible access to ePHI or a compromise of the confidentiality of ePHI possibly resulting in reputational damage to the individual.
  3. Laptop with ePHI-Lightning-One Internet Connection – consider a radiologist reviewing films from home when lightning strikes and knocks out internet access. Suppose, it is a life-or-death reading that is required. The environmental threat source exploited the weakness of a single point of failure in internet connectivity, resulting in lack of authorized access to ePHI during a potentially critical time-sensitive moment possibly resulting in personal physical or clinical harm to the individual.
  4. Laptop with ePHI-Hacker-Personal Firewall Disabled – consider your home health clinician in between patient visits reviewing appointments and records on his laptop at a Starbucks. Great, free Wi-Fi! The person across the room is on the same Wi-Fi network and accesses their laptop and ePHI. The adversarial threat source exploited the weakness of a disabled personal firewall on the laptop, resulting in unauthorized and impermissible access to ePHI. Further, the hacker accesses the patient records and randomly changes medication dosages resulting in a compromise of the integrity of ePHI possibly resulting in physical harm or death to the health clinician’s patients.
  5. Laptop with ePHI-Defective Screen-One Copy of Data – consider a surgeon having created a surgical procedure plan on her laptop at home the evening before a 6 am surgery the next morning. No backup was made and the laptop was not synchronized to the network that night. The structural threat source exploited the weakness no automatic network synchronization for mobile devices., resulting in the inability to access critical surgical plans and ePHI possibly resulting in personal physical or clinical harm to the individual and / or opportunity costs and loss revenue to the surgeon and the surgery center.

Simply considering the four threat source categories (accidental, adversarial, structural and environmental) and the threat sources within them (not to mention all the possible vulnerabilities associated with each, for a moment) AND the manner in which the confidentiality and/or integrity and / or availability ePHI may be compromised requires one to consider an incredible number of potential “triples” or risks.

Completing a rigorous, bona fide risk analysis requires significant work and should be completed with a well-defined methodology and well-designed tools and software.

Risk Analysis Resources Are Available to You Now

Clearwater Compliance offers best-in-class HIPAA-HITECH Privacy, Security and Breach Notification software and services. Our years of direct front-line, real-world experience with deep privacy and security skill-sets will help you assess and implement the required people, process and technology controls cost-effectively.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Wanna be even more hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like to keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Risk Analysis Tip – Is there Risk? It Depends!HIPAA Risk Analysis Tip – OCR to Increase Security Rule Enforcement >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.