in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption: HIPAA Data Breach Notification In Effect SEPT 23, 2009

The Health Insurance Portability and Accountability Act (HIPAA) has a new notification requirement that goes into effect next week, on September 23.  This requirement was part of the HITECH Act, which in turn was part of the American Recovery and Reinvestment Act of 2009.  Safe harbor is provided for healthcare providers and other covered entities if sensitive data is protected, such as with the use of hard drive encryption.

Some Regulation Details Of Interest

  • Affected people must be notified of a breach "as soon as reasonably possible," generally no later than 60 calendar days from the discovery, unless law enforcement requests otherwise

  • If 500 or more people are affected by the data breach, the Department of Health and Human Services (HHS) and the media must be notified as well

  • If a business associate to the covered entity discovers a breach, the covered entity must be notified (I assume it means the covered entity has to deal with the consequences)

  • Health information that was secured via encryption software or that was destroyed does not require a notification if there is a breach (kinda hard for one to exist for destroyed stuff...)

Criticism

There are people who are unhappy about the new regulations: they think they're not strong enough or go far enough. 

For example, under the new rules, a covered entity determines whether a data breach meets the HHS's harm threshold: a risk assessment is conducted by the covered entity that experienced the data breach to see if,

...there is a significant risk of harm to the individual as a result of the impermissible use or disclosure. In performing the risk assessment, covered entities and business associates may need to consider a number or combination of factors...[my emphasis.  p.42744, Federal Register / Vol. 74, No. 162]

Of course, the above is letting a fox guard the chicken coop: if a covered entity decides that there was no harm, there is no need to notify anyone--and, it's usually in the interest of a covered entity to find that a breach results in no harm (even if that's not the case).  There seem to be other loopholes, in my view, that would allow a healthcare provider to abstain from notifying people of a data breach.

On the other hand, I'm reading through these regulations, and I'm starting to get a headache trying to follow everything.  Maybe that's the point.  At some point, one's gotta realize that it's cheaper and more efficient to encrypt their data, and take advantage of the encryption safe harbor, than to hire a lawyer to see whether a breach notification is necessary or not.


Related Articles and Sites:
http://hr.blr.com/news.aspx?id=80759
http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf

 
<Previous Next>

Disk Encryption Software Ineffective Against China? Government Recommends Weighing Laptops After Visits

Application Control Software: A Reminder Of Its Importance, Curious George, And The Lovesick

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.