The U.S. Department of Health and Human Services (HHS) breach notification rule has been in effect for little more than a year now. The rule requires all organizations who have experienced a data breach, involving 500 or more patients, to report the incident to local media outlets and HHS. As of Oct. 25, there have been 186 data breaches reported to HHS, affecting 5,022,572 individuals.

Of the 186 reported incidents, 42 percent involved the loss or theft of a portable computing device, i.e., laptop, Smartphone, USB drive etc. In an organization like ours where a large portion of the data is considered confidential, portable computing devices are one of those hot-button items that keeps privacy and security officers awake at night.
How do we protect our confidential data from loss or theft when storing it on a portable computing device? It’s simple: don’t store confidential data on portable computing devices, including DVD, CDROM, USB drives, portable hard-drives, SD cards or any other portable storage device. 
I know, there’s an exception to every rule. If, for whatever reason, you absolutely need to store confidential information on any type of portable device, it must be approved by your department head or chair and the device must be fully encrypted.
Encrypted USB drives are available from the Office of Information Security, and laptops can be fully encrypted by contacting Information Services. There is absolutely no reason why anyone should be putting our data or UTMB at risk.
According to 521.002 of the Texas Commerce and Business Code the following personally identifiable information is considered confidential and must be encrypted if stored on a portable computing device or transmitted over a public network such as the Internet:
An individual's first name or first initial and last name in combination with any one or more of the following items:
  • social security number
  • driver’s license number or government-issued identification number
  • account number or credit or debit card number
Any information that identifies an individual and relates to:
  • the physical or mental health or condition of the individual
  • the provision of health care to the individual
  • payment for the provision of health care to the individual
Food for thought - An employee with the Department of Veterans Affairs takes home a laptop to catch-up on some work. Over the course of the weekend the laptop is subsequently stolen from the employee’s house. How much did the stolen laptop cost the Veterans Administration? Answer: About $1,500 for the laptop and another $48 million for the 27.5 million veterans whose personal records were stored on the laptop and considered compromised.
Remember Sec-U-R-IT-y