Oldendorf Medical Services, in Albany, New York, has announced data breach. According to a short piece at timesunion.com, two laptops were stolen during a break-in on January 18. The laptops contained "minimal clinical information." Whether this information was protected with hard disk encryption was not mentioned. But, seeing in what capacity the computers were being used, I'd say it's safe to say that the equivalent of AlertBoot endpoint security was not used.
Oldendorf Medical Services, in Albany, New York, has announced data breach. According to a short piece at timesunion.com, two laptops were stolen during a break-in on January 18. The laptops contained "minimal clinical information." Whether this information was protected with hard disk encryption was not mentioned.
But, seeing in what capacity the computers were being used, I'd say it's safe to say that the equivalent of AlertBoot endpoint security was not used.
The computers did include SSNs and other information for some. A suspect is in custody for picking the locks to Oldendorf Medical Services's offices and stealing two laptop computers that were being used with cardiac test machines. One of the computers was "a pulse volume recording 'PVR' and the other was an endothelial peripheral arterial tone, or 'endopat.'" Both are used to detect coronary atherosclerosis, according to timesunion.com. Computers that are part of medical equipment are generally not encrypted. While I'm not familiar with the reason why, I've always imagined it was due to compatibility issues. What these issues could be, I have no idea. However, it's the only explanation that makes sense, since medical equipment by definition collect patient data -- data that is considered protected health information (PHI) and requires protection under federal and state law.
The computers did include SSNs and other information for some.
A suspect is in custody for picking the locks to Oldendorf Medical Services's offices and stealing two laptop computers that were being used with cardiac test machines. One of the computers was "a pulse volume recording 'PVR' and the other was an endothelial peripheral arterial tone, or 'endopat.'" Both are used to detect coronary atherosclerosis, according to timesunion.com.
Computers that are part of medical equipment are generally not encrypted. While I'm not familiar with the reason why, I've always imagined it was due to compatibility issues. What these issues could be, I have no idea. However, it's the only explanation that makes sense, since medical equipment by definition collect patient data -- data that is considered protected health information (PHI) and requires protection under federal and state law.
That's not to say that it's impossible to protect PHI with encryption software when computers and medical equipment meet. I've had a chance to review medical equipment catalogs last year, and many of them mention how their such-and-such equipment now features AES-256 encryption and what not. So what gives? Why now? I'd opine that it's based on a confluence of different forces. First, progress in the technical arena. It's only within the past 10 years or so that computers have grown so powerful that the impact of full disk encryption software has become imperceptible. Also, backing up and storing data has also progressed to the point where it can be called "automated." Nothing worse than finding that your patient data is in an encrypted computer that just died...and you don't have copies! Management of keys and such has also only recently become something other than overbearing. Second, updated regulations and laws. Even today, the use of encryption is not mandatory in medical settings. However, HITECH, HIPAA amendments, and other federal and state laws make it almost impossible not to use encryption when it comes to PHI protection. While I won't go as far as saying that encryption is a selling point, the lack of it could very well be grounds for choosing someone else. Such laws and regulations have only been passed in the past 5 years or so. Third, better public understanding. Let's get something straight: the odds of a patient coming into a clinic or other medical organization and inquiring whether their medical information is encrypted before subjecting themselves to a surgery, checkup, examination, etc. is close to nil. But, in the event of a data breach, you'll see that for the most part, it's the covered entities that didn't use encryption that pay dearly, be it in the courts or elsewhere.
That's not to say that it's impossible to protect PHI with encryption software when computers and medical equipment meet. I've had a chance to review medical equipment catalogs last year, and many of them mention how their such-and-such equipment now features AES-256 encryption and what not.
So what gives? Why now? I'd opine that it's based on a confluence of different forces.
First, progress in the technical arena. It's only within the past 10 years or so that computers have grown so powerful that the impact of full disk encryption software has become imperceptible. Also, backing up and storing data has also progressed to the point where it can be called "automated." Nothing worse than finding that your patient data is in an encrypted computer that just died...and you don't have copies! Management of keys and such has also only recently become something other than overbearing.
Second, updated regulations and laws. Even today, the use of encryption is not mandatory in medical settings. However, HITECH, HIPAA amendments, and other federal and state laws make it almost impossible not to use encryption when it comes to PHI protection. While I won't go as far as saying that encryption is a selling point, the lack of it could very well be grounds for choosing someone else. Such laws and regulations have only been passed in the past 5 years or so.
Third, better public understanding. Let's get something straight: the odds of a patient coming into a clinic or other medical organization and inquiring whether their medical information is encrypted before subjecting themselves to a surgery, checkup, examination, etc. is close to nil. But, in the event of a data breach, you'll see that for the most part, it's the covered entities that didn't use encryption that pay dearly, be it in the courts or elsewhere.
Related Articles and Sites:http://www.phiprivacy.net/?p=8866http://www.timesunion.com/local/article/Laptops-stolen-from-Albany-doctor-s-office-2753512.php