The Case of the Missing Laptop

Missing (or stolen) laptops are a big deal, but, they are an even bigger deal in the heathcare vertical. The HIPAA/HITECH act essentially updated HIPAA in 2009 to take into consideration electronic health records (EHR) data as the industry continues to move from paper to electronic recordkeeping.

The HITECH Act now imposes data breach notification requirements for unauthorized uses and disclosures of “unsecured PHI.” These notification requirements are similar to many state data breach laws related to personally identifiable financial information (e.g. banking and credit card data) but with a twist. Under the HITECH Act “unsecured PHI” essentially means “unencrypted PHI.” If a breach impacts 500 patients or more then HHS must also be notified. Notification will trigger posting the breaching entity’s name on HHS website. Under certain conditions local media will also need to be notified.

At one of our recent deployments, a customer was faced with this exact problem. A manager was let go from the healthcare company but his laptop was not recovered as a part if his dismissal. For seven tense days the search was on with the question looming, will we have to post this as a self inflicted data breach on the HHS website. Normally, as described by the security team, they’d use their not-so-up-to-date asset database, the anti-virus server and a few Splunk searches to try to find the laptop.

Exabeam was able to show the laptop as having moved to another network zone and had been recovered by a different team. This kept the healthcare company from erroneously reporting the laptop as lost and potentially a physical data breach per HIPAA/HITECH.

Want to get a demo — Just press the button below!