As I’ve preached before, if you are going to store PHI on a mobile device (laptop, external hard drive, etc), you better make sure that you encrypt the hard drive.
Typically, I am less concerned about desktop PC’s and servers as, you should have proper physical security systems in place.
The recent Sutter Medical Foundation breach affected about 5 million patients…and brings to light the further need to encrypt desktop computers.
The device stolen was a desktop PC.
So, should that computer have been encrypted?
From the standpoint of minimizing risk, I would say that either:
- This computer should have been encrypted, or
- The room that contained this computer should have a very high level of security.
The basic assumption that is typically made with a desktop pc/server is they are in a secure area.
Well, that may need to be revisited.
Again, if you have upwards of 5 million patient records on a computer, I’d say the best practice would be to not only encrypt the device, but also have a very secure work area.
What about your practice? You may “only” have a few thousand patient records in your EHR database.
Should your server be encrypted?
The knee-jerk reaction is, OF COURSE you should encrypt your server!
The more realistic answer is: encrypting your server may not be necessary if you have your server in a locked room.
Remember, it is not unusual to have many non-staff members roaming your office.
The cleaning crew is my favorite example, as they are usually there after everyone else is gone.
If the device on which you store your PHI is not either in a locked room OR fully encrypted, you are in danger of having an ugly breach.