Jay Ryerse (pictured) is vice president at Digitel Corp., of Atlanta, a managed services provider for more than 12,000 small and mid-sized business clients.
At a medical practice in central Ohio, hundreds of laptops and tablets filled with HIPAA-protected electronic personal health information are transported between the practice’s five separate locations every day. The devices are carried by nurses, nurse practitioners, doctors, and IT staff who scurry between the offices, filling in where extra help is needed most depending on the day’s workflow.
Because these data-laden electronics are transported in the employees’ own vehicles, the devices’ vulnerability to loss and theft is particularly acute. As such, the practice needs to ensure that a lost device will not also risk a more costly and reputation-damaging data breach.
The practice has not always taken such care to protect its data. Prior to the HITECH Act of 2009, which governs the use of health information technology, the practice had no solution in place to safeguard electronic personal health information (ePHI) on these mobile devices and laptops, and there had indeed been equipment – and data - stolen and lost. The HITECH Act inspired the organization to change its behavior, as the law mandates audits of health-care providers to determine if they’re HIPAA-compliant.
After HITECH’s passage, the practice began to use encryption software, but not anything that could be installed remotely. This meant that to implement data encryption, each device would have to be sent through the mail to the managed services provider, have encryption software installed, and then be shipped back. This was a cumbersome process to say the least, and in the interim the medical practice would have to run without the devices, dealing a blow to productivity. It also suffered from issues managing the encryption solution. There were incidents in which the practice would have encryption in place, but lose the keys to unlock it. With no way to recover the information on those machines, staff would have to wipe the hard drives and start anew.
The more capable and better-fitting solution the company uses now is a testament to the power of the cloud, which is where we, as the MSP, became involved. We switched the practice to a cloud-based mobile device management solution to protect the ePHI on its mobile devices. The system can be installed remotely, with encryption of sensitive files also remotely managed to ensure that data is always secure, and that the keys are never lost. It can also revoke user access and remotely delete data, both useful when a device is stolen or compromised.
We found it important to be clear with health care providers – who might be understandably cautious in adopting newfangled solutions given the legal and regulatory pressures they feel – in explaining to them that while these encryption and device management tools may be cloud-based, their data never enters the cloud. Nor do we, as the MSP, hold any means of access to their data. We want any client with apprehension about the safety of cloud-based security to know that the data itself remains local, and the encryption and access protections ensure that it’s highly secure.