in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA / HITECH Encryption: Is Cloud-Based AlertBoot Disk Encryption A Business Associate Under HIPAA Rules?

Healthcare organizations and other HIPAA covered entities are concerned about cloud-based services. As they should be: under HIPAA, covered entities are responsible for the security of ePHI (electronic protected health information); so, when a Business Associate (BA) causes a data breach, the covered entity is the one who's investigated by the HHS Office of Civil Rights, and possibly fined...up to $1.5 million!

According to an article at workplaceprivacyreport.com, many cloud vendors are taking the position that they are not business associates.  Rather, they argue, "they are conduits to [PHI]" like the US Postal Service, which temporarily holds PHI while it's being delivered from one place to another.

The chief privacy officer at the Office of the National Coordinator for Health IT, however, says that,
HHS has already noted that "a software company that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software function, is a business associate of a covered entity."
Furthermore, HITECH has apparently made it clear that cloud service providers are BAs.

AlertBoot is Not a BA.  It's not a Conduit, Either.

AlertBoot's unique cloud-based disk encryption software service cannot claim to be a conduit.  However, labeling it a Business Associate would also be erroneous because the AlertBoot cloud-based endpoint encryption service does not handle PHI.

Certainly, AlertBoot disk encryption secures a laptop's contents with strong AES-256 encryption; however, that content is never sent to the AlertBoot cloud.  The information that is exchanged between a secured endpoint (either a laptop or a desktop computer) and AlertBoot's cloud is unrelated to health (patient information) nor is it an employment record.

There are certain identifiers that we store, yes: names, passwords (encrypted), email addresses, encryption keys (also encrypted), etc.  However, none of these are considered PHI in this particular case:  understanding what PHI is and isn't (some definitions here as well) might help clear up any preliminary concerns.

Related Articles and Sites:
http://www.phiprivacy.net/?p=11350
http://www.workplaceprivacyreport.com/2013/01/articles/data-security/are-cloud-service-providers-business-associates-under-hipaa-and-the-hitech-act/
<Previous Next>

Protecting USB Ports: AMD Accuses Former Employees Of Stealing Documents

Password Security: Being Bad At Grammar Means You're A Genius When It Comes To Security

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.