in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Drive Encryption Software: Alaska DHHS To Pay $1.7 Million Settlement For HIPAA Data Breach

The Alaska Department of Health and Human Services (DHSS) -- AK's Medicaid agency -- has agreed to settle all HIPAA violation charges for $1.7 Million.  It is, by certain accounts, the second largest HIPAA fine in history and most definitely the first against a state agency.  All of it could have been avoided with the simple use of a disk encryption software program like AlertBoot.

USB Disk, Car at the Heart of the Breach

Around October 12, 2009, a USB hard drive that contained electronic protected health information (PHI) was stolen from a DHSS computer technician's car.  The data breach was promptly reported to the US Health and Human Services Department, Office for Civil Rights (OCR).  The OCR started investigating the Alaska DHSS in January 2010.

The investigation led the OCR to conclude that Alaska DHSS failed in several areas:

  • Did not complete a risk analysis;
  • Did not implement sufficient risk management measures;
  • Did not complete security training for DHSS workforce members;
  • Did not implement device and media controls; and
  • Did not address device and media encryption.

What HIPAA Requires

Not all of the above are actions required under HIPAA.  For example, the last point, the use of encryption software is an addressable issue, not a requirement.  That is, a HIPAA-covered entity has the choice of using encryption or something else to protect PHI.  The HHS clearly lets everyone know that you're not required to use data encryption tools to protect PHI:

Is the use of encryption mandatory in the Security Rule?

Answer:

No. The final Security Rule made the use of encryption an addressable implementation specification. See 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii). The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.

The caveat to not using encryption, though, is that, basically, if you don't use encryption you have to provide some other method of securing PHI.  For example, perhaps you'll weld a completely thief-proof strongbox to an employee's car, to be used whenever an unencrypted laptop is transported by the employee.

That solution, though, is crazy.  The use of disk encryption is much more advantageous when you consider the time, expense, and vulnerabilities of using the welded strongbox over the use of encryption.  In a sense, the use of encryption is the minimum you can do in terms of PHI protection.


Related Articles and Sites:
http://www.alaskapublic.org/2012/06/26/state-pays-large-settlement-for-patient-privacy-breach/
http://www.healthcarefinancenews.com/news/data-breach-leads-17m-fine-alaska-dhss
http://www.phiprivacy.net/?p=9683
http://www.scmagazineuk.com/alaska-department-of-health-and-social-services-facing-17-million-hipaa-fine-for-2009-breach/article/247784/

 
<Previous Next>

Can The FTC Penalize A Company For Being Hacked?

Medical Laptop Encryption Software: University of Texas MD Anderson Cancer Center Notifies 30,000 Of Data Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.