The John Muir health system in Northern California has announced the breach of data for nearly 5,500 patients. It occurred in February when two laptops were stolen from the perinatal office in Walnut Creek, where the company is based out of. The laptops were not protected with drive encryption software; however, they were password-protected.
The breach occurred in February; the notification letters were not sent out until this month. Why the two-month delay? John Muir's privacy officer was quoted in the San Francisco Business Times as saying, "we wanted to make sure we had accurate information and could address questions from our patients." Not that I don't doubt the privacy officer, but perhaps there is another reason as well: HHS regulations "requires the notifications to be made without unreasonable delay but in no case later than 60 calendar days after discovery of the breach," a result of HIPAA amendments under the HITECH Act. Even if the hospital wanted more time to prepare, they clearly would have been constrained by federal regulations, and have to go with what they have. The breach, according to the mercurynews.com, only affects patients who visited the John Muir perinatal office in Walnut Creek sometime in the past three years, although a different source quotes "experts" that claim the data goes "back more than three years."
The breach occurred in February; the notification letters were not sent out until this month. Why the two-month delay? John Muir's privacy officer was quoted in the San Francisco Business Times as saying, "we wanted to make sure we had accurate information and could address questions from our patients."
Not that I don't doubt the privacy officer, but perhaps there is another reason as well: HHS regulations "requires the notifications to be made without unreasonable delay but in no case later than 60 calendar days after discovery of the breach," a result of HIPAA amendments under the HITECH Act. Even if the hospital wanted more time to prepare, they clearly would have been constrained by federal regulations, and have to go with what they have.
The breach, according to the mercurynews.com, only affects patients who visited the John Muir perinatal office in Walnut Creek sometime in the past three years, although a different source quotes "experts" that claim the data goes "back more than three years."
John Muir officials noted that they had adequate security in place, including a locked building and password-protected laptops. Which is a weird statement to make since on the same breath they point out that, as a result of the breach, they have implemented the use of data encryption software at the perinatal office, and are extending its implementation to computers throughout the hospital. Don't you find it weird? Usually, people shore up a weakness that led to the unwanted consequence, and in this case the weakness was physical security. So, it would have been natural to invest in better windows, better locks on the doors, more guards, etc, as part of their security upgrade. Instead, the hospital system decides to implement the use of encryption software on computers with sensitive information. I mean, what about the password-protection that was used on the laptops? Its efficacy is unaffected by the break-in: clearly, password-protection doesn't become less or more effective because someone stole a laptop. So, it seems weird that, of all the security upgrades John Muir hospital has decided on, it has opted for encryption. I'm not complaining; it's actually the right move. You can spend far more money on solutions that don't provide as much information security as whole disk encryption or file encryption from companies like AlertBoot. Based on the "security bang" for the buck, one could do much, much worse. (Ever see a four-figure retinal scanner controlling access through a frosted glass door? I mean, what's that all about? How's the scanner going to protect against a hammer through the door? Answer: it's not.) In the past I would have complained that this is just typical behavior, where people in charge of data security fix the proverbial barn after the horses have fled. And I still do. But my criticism is tempered by my reading of Traffic: Why We Drive The Way We Do (a pretty good read so far, actually).
John Muir officials noted that they had adequate security in place, including a locked building and password-protected laptops. Which is a weird statement to make since on the same breath they point out that, as a result of the breach, they have implemented the use of data encryption software at the perinatal office, and are extending its implementation to computers throughout the hospital.
Don't you find it weird? Usually, people shore up a weakness that led to the unwanted consequence, and in this case the weakness was physical security. So, it would have been natural to invest in better windows, better locks on the doors, more guards, etc, as part of their security upgrade. Instead, the hospital system decides to implement the use of encryption software on computers with sensitive information.
I mean, what about the password-protection that was used on the laptops? Its efficacy is unaffected by the break-in: clearly, password-protection doesn't become less or more effective because someone stole a laptop. So, it seems weird that, of all the security upgrades John Muir hospital has decided on, it has opted for encryption.
I'm not complaining; it's actually the right move. You can spend far more money on solutions that don't provide as much information security as whole disk encryption or file encryption from companies like AlertBoot. Based on the "security bang" for the buck, one could do much, much worse. (Ever see a four-figure retinal scanner controlling access through a frosted glass door? I mean, what's that all about? How's the scanner going to protect against a hammer through the door? Answer: it's not.)
In the past I would have complained that this is just typical behavior, where people in charge of data security fix the proverbial barn after the horses have fled. And I still do. But my criticism is tempered by my reading of Traffic: Why We Drive The Way We Do (a pretty good read so far, actually).
As the book notes, a large majority agrees about the need for better traffic laws, such as making illegal the act of texting-while-driving. A large majority also admits to engaging in texting-while-driving. It's insanity, really. But, this is explained by the fact that most people think they're better than average, the "Lake Wobegon effect." It's the others that are at fault; I'm doing perfectly fine. This probably explains why so many companies take up encryption after a breach strikes them. They hear the breach horror stories; laugh at another company's lack of intellectual acuity; convince themselves that they're fine (denial and the above average effect); and then have to eat crow when disaster occurs...because their security practices are pretty much the same as the others. What this probably means is that we need a social construct to better encourage the adoption of effective security practices. For all its weaknesses, I'd say that the provision of safe harbor for encrypted information under data breach notification laws is making more sense than ever.
As the book notes, a large majority agrees about the need for better traffic laws, such as making illegal the act of texting-while-driving. A large majority also admits to engaging in texting-while-driving. It's insanity, really.
But, this is explained by the fact that most people think they're better than average, the "Lake Wobegon effect." It's the others that are at fault; I'm doing perfectly fine.
This probably explains why so many companies take up encryption after a breach strikes them. They hear the breach horror stories; laugh at another company's lack of intellectual acuity; convince themselves that they're fine (denial and the above average effect); and then have to eat crow when disaster occurs...because their security practices are pretty much the same as the others.
What this probably means is that we need a social construct to better encourage the adoption of effective security practices. For all its weaknesses, I'd say that the provision of safe harbor for encrypted information under data breach notification laws is making more sense than ever.
Related Articles and Sites:http://www.bizjournals.com/sanfrancisco/stories/2010/04/05/daily9.htmlhttp://www.californiahealthline.org/articles/2010/4/6/john-muir-health-system-notifying-5450-patients-of-possible-data-breach.aspx