in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA BYOD Security: Massachusetts Eye and Ear Infirmary Pays $1.5 Million To Settle PHI Breach

Massachusetts Eye and Ear Infirmary (MEEI), a Boston hospital overlooking the Charles River and Longfellow Bridge, has agreed to settle a HIPAA PHI breach case for $1.5 million.  The breach occurred when a laptop computer was lost during a 2010 medical conference in South Korea.  The computer was not protected with laptop encryption software, although it did feature a sort of LoJack for computers.

Device Tracking and Data Deletion: Sometimes a Little Too Late

When considering security for BYOD initiatives, many professionals look at remote data wiping and device encryption as top requirements.  This is common sense: devices get lost, and because the odds of recovering them are slim, a method to ensure that the data in said devices is not accessed is a much sought-after solution.

Laptops are devices as well, and they're part of the burgeoning BYOD trend (if not the pioneer of this awkwardly named trend).  Oddly enough, the professionals appear to feel safe just installing tracking software without any encryption whatsoever, despite the higher probability of laptops carrying lots of sensitive data.  In the MEEI's case, records for approximately 3,500 patients that spanned over a twenty year period.

The problem with tracking and remote wiping software is that you need a network connection.  If a thief steals a laptop or a smartphone, where is the guarantee that it will connect to a network?  The odds are high for the latter, it is a phone after all, but for a laptop?  MEEI found out the hard way that it's not necessarily guaranteed: it took nearly a month for the laptop to show up in the hospital's radars.

Snowball Effect: HIPAA Investigation

The data breach triggered an investigation of MEEI's data security practices by the Department of Health and Human Services Office for Civil Rights, the branch of the US federal government that is charged with enforcing HIPAA and HITECH (which amended and updated HIPAA).

OCR found that the hospital demonstrated "a long-term, organizational disregard for the requirements of the Security Rule," according to bna.com, and resulted in a fine of $1.5 million, the maximum civil monetary penalty that can be assessed on a HIPAA covered-entity.  Mind you, the penalty was not just for the loss of the laptop computer.  Rather, OCR found:

six areas of potential past non-compliance which were addressed by Mass. Eye and Ear between October 2009 and June 2010. These areas of potential non-compliance were primarily focused on controls to protect health information accessed or stored on portable electronic devices, such as laptop computers. [masseyeandear.org]

The six problematic areas include (hhs.gov):

  • Conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices,
  • Implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices,
  • Adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and
  • Adopting and implementing policies and procedures to address security incident identification, reporting, and response.

In addition to the monetary penalty, MEEI agreed to the following:

In addition to the $1.5 million settlement, the agreement requires MEEI to adhere to a corrective action plan, which includes reviewing, revising, and maintaining policies and procedures to ensure compliance with the Security Rule. An independent monitor will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period. [hhs.gov]

MEEI's Disappointment Begets My Disappointment

My understanding is that the Massachusetts Eye and Ear Infirmary is an excellent medical institution, the latest developments notwithstanding.  While I was disappointed to hear that they had suffered one of the most prosaic data breaches possible, something in their post-settlement statement triggered an even bigger sense of disappointment (my emphasis):

The review of Mass. Eye and Ear by the U.S. Department of Health and Human Services (HHS) was triggered by the hospital’s proactive self-reporting of a doctor’s unencrypted laptop being stolen while he was traveling abroad in 2010.  Mass. Eye and Ear has no indication that any patients were harmed by this isolated incident.

Proactive self-reporting?  HITECH's Breach Notification Rule makes it clear that it is the law to report such incidents within 60 calendar days of the HIPAA-covered entity discovering (or being alerted to) the PHI data breach.  The term "proactive self-reporting" tends to imply, in my opinion, that MEEI did not have a duty to report this breach but did so voluntarily, which is clearly not the case.

From this standpoint, it is not different from PR moves by insurance companies who send breach notification letters to clients, noting that they're doing so "out of an abundance of caution" instead of 'fessing up that they're forced to do so under the Breach Notification Rule.

I don't think too highly of this particular practice, and I must say I'm a little saddened to see Mass Eye and Ear engaged in a similar move.


Related Articles and Sites:
http://www.fiercehealthit.com/story/boston-teaching-hospital-fined-15m-ephi-data-breach/2012-09-18
http://threatpost.com/en_us/blogs/massachusetts-hospital-agrees-pay-15m-after-stolen-laptop-hipaa-violation-091912
http://www.bna.com/massachusetts-hospital-agrees-n17179869754/
http://www.masseyeandear.org/news/press_releases/recent/Resolution_Agreement/
http://www.hhs.gov/news/press/2012pres/09/20120917a.html

<Previous Next>

Smartphone BYOD Security: Over 50% Of Android Devices Are Unpatched To Known Vulnerabilities

Connecticut Data Breach Law Updated: You Are Required To Notify State AG

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.