Five computers have been stolen from Stone Oak Urgent Care & Family Practice ("Urgent Care"), leading to the breach of sensitive information for over 3,000 patients. Hard disk encryption like AlertBoot was not used to secure the medical information, although password-protection was present.
During the October 22 - 23 weekend, a thief or thieves pried open a door to gain access to Urgent Care's facilities. Five laptop computers with medical files for 3,079 patients were stolen. The files included names, Social Security numbers, dates of birth, account numbers, disability codes, diagnoses, and other information. Encryption software was not installed on the devices, but password-protection was present, the latter being one of the most insecure ways of protecting data. That is not to say that password-protection can never protect data. However, the fact that the Department of Health and Human Services (HHS) only considers data destruction and strong data encryption to be the only ways of guaranteeing data security (evidenced by the fact that data protected by these two methods are granted safe harbor from the Breach Notification Rule) is indicative of what password "protection" means, security-wise.
During the October 22 - 23 weekend, a thief or thieves pried open a door to gain access to Urgent Care's facilities. Five laptop computers with medical files for 3,079 patients were stolen. The files included names, Social Security numbers, dates of birth, account numbers, disability codes, diagnoses, and other information. Encryption software was not installed on the devices, but password-protection was present, the latter being one of the most insecure ways of protecting data.
That is not to say that password-protection can never protect data. However, the fact that the Department of Health and Human Services (HHS) only considers data destruction and strong data encryption to be the only ways of guaranteeing data security (evidenced by the fact that data protected by these two methods are granted safe harbor from the Breach Notification Rule) is indicative of what password "protection" means, security-wise.
The article at mysanantonio.com has an eye-popping statistic. Supposedly, "80 percent of hospitals don't encrypt data." Of course, I can' tell whether this is quoted out of context and refers to just laptops or involves any and all aspects of electronic data that can be encrypted, such as desktop computers, external drive, and even email. Assuming that it involves devices that, due to their size, can be easily hidden and stolen, the figure implies that most medical establishments are just waiting to have a data breach. While this shouldn't come as a surprise considering what was revealed at a recent Senate Judiciary Subcommittee on Privacy, Technology, and Law meeting, the fact that it's estimated to be so high is quite stupefying.
The article at mysanantonio.com has an eye-popping statistic. Supposedly, "80 percent of hospitals don't encrypt data." Of course, I can' tell whether this is quoted out of context and refers to just laptops or involves any and all aspects of electronic data that can be encrypted, such as desktop computers, external drive, and even email.
Assuming that it involves devices that, due to their size, can be easily hidden and stolen, the figure implies that most medical establishments are just waiting to have a data breach. While this shouldn't come as a surprise considering what was revealed at a recent Senate Judiciary Subcommittee on Privacy, Technology, and Law meeting, the fact that it's estimated to be so high is quite stupefying.
Related Articles and Sites:http://www.mysanantonio.com/business/article/Computers-containing-medical-info-stolen-2429542.phphttp://www.phiprivacy.net/?p=8695http://www.stoneoakinfo.com/node/76053