InformationWeek reports on a proposal from the U.S. Department of Health and Human Services concerning mobile devices and the privacy of medical data:
In an attempt to eliminate the potential for patient data breaches on mobile devices, the Notice of Proposed Rulemaking (NPRM) for Stage 2 Meaningful Use has proposed that mobile devices, such as laptops, smartphones, and tablets, that retain patient data after a clinical encounter should have default encryption enabled.
Published by the Department of Health and Human Services (HHS) Thursday, the proposed rule for Stage 2 Meaningful Use for the Electronic Health Record (EHR) Incentive Programs noted the increasing number of reported breaches which involve lost or stolen devices.
“We agree that this is an area of security that appears to need specific focus. Recent HHS analysis of reported breaches indicates that almost 40% of large breaches involve lost or stolen devices. Had these devices been encrypted, their data would have been secured,” the NPRM for Stage 2 Meaningful Use states.
The HHS Health IT Policy Committee recommended that health delivery organizations take action to review encryption practices of electronic protected health information as part of their risk analysis. […]
The proposed measure comes amid several reports that confirm a significant number of patient data breaches have occurred due to the loss or theft of mobile devices. One study from the Ponemon Institute found that the frequency of patient data losses at healthcare organizations increased by 32% in 2011 compared to 2010, with 49% of respondents citing lost or stolen computing devices such as laptops, tablets, and smartphones.