For any company, having mobile devices such as laptops and tablets that can leave the office represents a security risk. For HIPAA covered entities, the risk increases. There have been many instances of a stolen laptop computer, left in a car outside an employee’s home, being the source of a severe data breach that left thousands of patients’ data at risk.
If such devices exist in your business, including laptops, tablets, or smartphones that access your network, it is important to consider them in your security plans and make sure that not only are the proper steps taken to encrypt and manage them, but also that Acceptable Use Policies are in place and enforced, and that risk mitigation strategies are prepared in case of theft, such as being able to remotely lock or wipe a device’s memory.
It may seem unfair if a thief steals a valuable piece of office equipment, and then YOU are held responsible for putting the data on that device at risk. However, the Office of Civil Rights closely inspects whether or not your company had policies and risk management steps in place, and whether or not those steps were followed before and after the theft. This is often how they determine the severity of the fines they levy against companies.
Essentially, it is vitally important that you have proper Mobile Device Management policies in place and in action. You cannot prevent every data breach. You can only try to ensure that you have done everything possible to mitigate the risk.