One of the ongoing debates between IT vendors and HIPAA covered entities is whether PCs – that is, the desktop computer – needs to be encrypted. The position we hold at AlertBoot is that, if you are using encryption software to protect the contents of a laptop computer used in the office, you cannot justify not doing the same for a PC.
Yet, when it comes to desktop computer encryption, most covered entities will balk. The reason tends to be two-fold. First, encrypting a desktop computer is not free; it costs as much as encrypting a laptop computer. As is usually the case, the less computers you encrypt, the less expensive it is.Second, there is this preconceived perception that because a desktop computer is less portable than a laptop, it must also be harder to steal. Nothing could be further from the truth, however. They say that seeing is believing, so take for example this case from Salina Regional Health Center.
In the embedded video, you can see a man prowling around what appears to be a hospital. He is holding a stuffed bunny rabbit, which I assume is being used as a sort of decoy for deceiving people that he's got a reason for being there.A number of different camera shots later and he's going into the emergency exit with some dark, slightly bulky object. I had to rewind the video (or whatever it is you do in YouTube) to ascertain that the object in his hands was dark because he had wrapped something with his jacket. Had I not known the video was part of a story about a stolen computer, I wouldn't have known what it was. Initially, I thought maybe he was delivering a pizza or something, which didn't quite make sense.This is the point: stealing a desktop computer is not as hard as people think. It's harder than stealing a laptop, just like stealing a laptop is harder than stealing a smartphone, but none of the listed misdemeanors is especially hard to commit. Cumbersome is probably more on the mark.
According to the story, the Salina computer theft resulted in a loss of a $1,000 computer and $100 in damages. However, if the computer contains PHI (which it doesn't sound like... but then, who knows really? Data always ends up somewhere it's not supposed to), then the actual damages would be astronomically higher: the cost of notifying patients under HIPAA's Breach Notification Rule; the perceived damage to the health center's image; the cost to defend itself from a (possibly baseless) lawsuit; etc.Would full disk encryption prevent all of these costs deriving from breaching HIPAA rules? Absolutely.