Reminder to physicians and employees: Portable media devices must be encrypted

WVU Medicine Information Technology (IT) reminds all physicians, clinicians, and employees: Do not use portable media unless absolutely necessary. If you must use portable media, such as jump/thumb drives, USB drives, and external back-up drives, you must ensure that the devices are encrypted, as per organizational policy.

You are responsible for the protected health information (PHI) that you copy to any form of portable media, and it must meet the guidelines of the Security Standards for Mobile and Other Portable Devices policy.
 
Why is it crucial that you know and comply with this policy? If PHI is stored on a jump/thumb drive or external back-up drive and the drive is misplaced, our patients’ information is at risk for identity theft and medical fraud. In addition, the organization may be required to formally report the issue to the Office of Civil Rights (OCR) and face legal ramifications. 
 
Recently, our health system has experienced two incidents where portable media – jump drives and external back-up drives – have gone missing.
 
Even if portable media is used in a physically secure environment, the media must be encrypted as per policy.
 
For assistance in ensuring that your portable media device is encrypted, contact the WVU Medicine IT Help Desk. Keep in mind that it is your responsibility to know and comply with our internal policies regarding privacy and security. Failure to do so could result in disciplinary action, up to and including possible termination.