in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA Encryption: Houston Methodist Hospital Report Theft Of Encrypted Laptop

Houston Methodist Hospital has reported that 1,300 people were affected when a laptop and paper files were stolen this past Thursday.  According to reports, the hospital has installed laptop encryption software on the stolen computer which, under HIPAA rules, absolves them from the need to report this particular "data breach."
So why report it?

HIPAA Covers Paper Files, Too

Well, there could be a number of reasons why Houston Methodist Hospital decided to go public with the data breach.  Of course, the presence of encryption software is grounds for Safe Harbor because the data is protected from unauthorized eyes.  But, it's more accurate to say it's one of the conditions for Safe Harbor.  Among other things, Houston Methodist Hospital must also make sure that:
  • They used an encryption solution that lives up to NIST's requirements (a FIPS 140-2 validation from NIST automatically makes is a proper solution under HIPAA).
  • They must be able to prove that they encrypted the laptop.  For example, AlertBoot's encryption status monitoring (and report) would be ideal as evidence of encryption.
  • They must be relatively sure that there was no way around the encryption.  For example, a Post-It with the password was not stuck to the bottom of the laptop.

Then there are the paper documents.  Unlike digital data, encrypting paper documents is not practical.  Chances are the missing documents, which probably had PHI on them, are the real reason why Houston Methodist Hospital decided to go public about the breach (especially since the federal law requires it if more than 500 people are affected).

What I'm most surprised about the entire situation is that they (a) decided to mention the laptop, which they didn't really need to (unless Safe Harbor requirements were not met) and (b) that they didn't even wait one week to go public.  In fact, they lost the laptop and the files on December 5 and the first report of it was on a December 6 article at chron.com.  It took them one day.

Plus, they knew exactly how many people were affected, what was stolen (which included names, SSNs, and dates of birth), and started the individual contacting process.  It's like they were prepared for it, which means they've been reading up on their HIPAA Security rules (which also leads me to believe that they used a proper encryption solution).

It's a shame that these things happen, but Houston Methodist Hospital's case shows how quickly a covered entity can respond if they're doing things right.

 

Related Articles and Sites:

http://www.phiprivacy.net/tx-laptop-with-houston-methodist-hospital-patient-info-stolen/
http://www.chron.com/default/article/Laptop-with-Methodist-patient-info-stolen-5043012.php
http://www.khou.com/news/local/Identity-information-of-1300-Methodist-Hospital-patients-stolen-234826171.html
http://www.bizjournals.com/houston/morning_call/2013/12/laptop-containing-patient-information.html
 
<Previous Next>

HIPAA Desktop Computer Encryption: PCs Are More Portable Than You Think

HIPAA Encryption: Horizon BCBS Of New Jersey Data Breach Affects 840k People

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.