Managed services providers have been telling their clients about the importance of data encryption for years. Unfortunately, it takes a painful situation before a lot of companies realize just how important encryption is.
One of those companies is Denton Health Group, a member of the HealthTexas Provider Network, which recently suffered a devastating data breach due to unencrypted devices.
The breach
Denton Health Group stored an unencrypted hard drive with seven years of backup electronic patient information in a locked closet. According to officials, at some point around the end of December 2016, the hard drive was stolen – and patients’ names, Social Security numbers, driver’s license numbers, medical histories, insurance details and more disappeared with it. To make matters worse, the theft wasn’t discovered until mid-January 2017.
Denton Health Group is providing one year of free credit and identify theft monitoring for the 21,665 patients affected by the robbery. No penalties from the Organization of Civil Rights have been made public yet, although it’s worth noting that in February, the OCR fined Children’s Medical Center of Dallas $3.2 million for breaches due to lack of encryption.
Lessons learned
The first thing any business owner should take away from this situation is the realization that this could also happen to you. In fact, a 2016 Sophos report found 20 percent of healthcare organizations aren’t using encryption at all! No matter your vertical or business size, you are at risk of being breached, and your chances of this occurring increase if you have little or no protection in place.
Second, all devices in your organization should be encrypted, including laptops, desktops, hard drives, mobile phones and anything else with critical data on it. Had Denton encrypted that hard drive, not a single piece of patient information would have been lifted, as encryption keys are practically impossible to break. As an MSP, we often hear business owners say encryption is too expensive or too cumbersome, but encryption services have quickly evolved and are now readily affordable for any business size – especially in comparison to the financial repercussions of a breach.
Third, stay up to date on data destruction practices. This is especially important for healthcare organizations, which should not keep PHI any longer than is legally required. When it’s time to destroy sensitive data, be sure to follow the correct protocols, especially if you store backups on-premise with only a physical lock as a barrier (which is highly inadvisable).
Finally, encrypting your backups is just as important as encrypting your main devices. Failing to do so is like locking the front door of your home but leaving the back door wide open. Backups are often forgotten or given secondary protection by business owners, but as evidenced by the Denton breach, backup data is just as critical as anything kept on active devices and should receive the same level of protection.
At the risk of sounding redundant, encrypting your data is absolutely paramount in protecting your business. Legally, it protects you against financial fallout and lawsuits if a device is stolen, and that alone is priceless. Did you know MyITpros now offers encryption services as part of our endpoint security services for managed services clients? Please contact us today for more information!
