Following the breach at Medicentres, where a stolen laptop of a Medicentres IT consultant led to the breach affecting 620,000 patients, there has been a renewed discussion on the importance of endpoint security in healthcare.
The stolen Medicentres laptop contained the unencrypted personal health information of 620,000 Albertans, including names, dates of birth, health card numbers, billing codes and diagnostic codes. The laptop was stolen in September, 2013 and the breach was reported in January, 2014. Medicentres was unprepared to deal with a data breach scenario and seemed surprised that the laptop was not better protected (though they had no formal policy to set security standards for contractors).
Health Minister Fred Horne notes that the Medicentres breach has exposed possible gaps in the Health Information Act, which provides "custodians with a framework within which they must conduct the collection, use and disclosure of health information.” The breach may spur amendments to the Health Information Act, particularly concerning the breach notification requirements.
Absolute Software’s Steve Treglia and Geoff Glave recently chimed in on CanHealth’s Technology for Doctors column talking about the importance of protecting healthcare data and how to deal with stolen devices.
"Canada is about where we were five years ago in the U.S. There were no heavy fines, penalties or massive oversight. I’m sure you’re going to see the process escalate in Canada as you see more of these big breaches and lawsuits. Canadian authorities are eyeing events south of the border, where the loss or invasion of each identity is valued at a thousand dollars in damages,” notes Steven Treglia.
Geoff Glave addresses the necessity of having healthcare data on the endpoint, rather than in a third-party database or transmitted over the Internet, as having that data on-hand facilitates patient care in many scenarios. There are, of course, ways to secure the data and to protect it if the device goes missing. Absolute Software offers Computrace, allowing organizations to delete data remotely if a device is lost or stolen. Since you can’t always rely on employees or contractors to quickly report a missing device, there are many alerts you can set up to determine if a device has gone outside a geographic boundary or is being tampered with.
Best of all, within Computrace, we offer secure compliance log documentation of when data was last accessed and when a data wipe occurred, allowing healthcare organizations to prove compliance and avoid costly breach notifications - if data hasn’t been accessed, and cannot be accessed, a notification is not required.
“In the States and I'm sure someday very soon in Canada, if there’s a requirement to demonstrate that the encryption was never turned off even though the device was accessed, the reporting capabilities of our software can prove that. You can avoid civil suits and penalties if you can show the thief never actually touched or did anything with the data,” notes Geoff Glave.
If you want to learn more about our healthcare solutions at Absolute Software, for protecting and managing data on the endpoint, read here.