In this day and age, it's hard to believe that any HIPAA covered entity or business associate would not be using encryption software on their laptops on purpose. Except that they are, as the following story on Horizon Blue Cross Blue Shield, based in New Jersey, shows. And, technically, BCBSNJ could be HIPAA compliant even if the theft of said laptops affects hundreds of thousands of patients.
Sales of desktop computers have been declining for decades now. Laptops reigned supreme during the desktop's downward trajectory and it wasn't (and isn't) unusual to see people using stationary laptops for their computing needs, even if laptops are designed for non-stationary needs.One way to ensure that laptops do not make their way outside a building is to affix them in some manner. Generally, a cable lock is used to secure laptops to desks. Since the machines cannot be taken outside the building's perimeters, it's assumed that it – and the data stored in it – are safe from unauthorized eyes.Except, of course, that all it takes to trump the cable lock is a pair of $20 bolt cutters. The types you can get at any hardware store and hide in your jacket. Contrast that to a properly designed medical encryption solution like AlertBoot, which requires anywhere from thousands to tens of thousands of dollars to even begin to make a dent in its security, and you can see why encryption is a better way to protect data.(Actually, to be completely fair, I should note that you can also "decrypt" a laptop with a pair of $20 bolt cutters. You tie down a guy who knows the password and start whacking him with the bolt cutter. At some point he will spit out the password. But then, the charges against the owner of the bolt cutter will be much, much graver than snipping a 1/8" wire.)This is the thing, though: under HIPAA, locking down a laptop computer is actually seen as an adequate alternative to the use of encryption, depending on the circumstances.
So, Horizon Blue Cross Blue Shield was perfectly in their right and was compliant with HIPAA (as far as I can see) if they opted to lock down their laptops as opposed to locking down their data. As nj.com reported:The stolen laptops were password-protected, but had unencrypted data.... At the time they were stolen, the computers were cable-locked to employee workstations...the cable-locks apparently were "tampered with and damaged" in the incident, which took place on the eighth floor of 3 Penn Plaza. The laptops were MacBook Pros, the report said.
The stolen laptops were password-protected, but had unencrypted data.... At the time they were stolen, the computers were cable-locked to employee workstations...the cable-locks apparently were "tampered with and damaged" in the incident, which took place on the eighth floor of 3 Penn Plaza. The laptops were MacBook Pros, the report said.
As a result, nearly 840,000 people were affected by the theft of two laptops. PHI such as names, addresses, dates of birth, SSNs, and clinical information were breached.There are two things that are scandalous about this story, at least in my eyes. First, this is not the first time that the company has experienced a data breach. In 2008, approximately 300,000 people were affected when a laptop was stolen. In that case, the data was "programmed" to be destroyed after the laptop was stolen, but the word "encryption" is missing from any stories I've unearthed regarding it, leading me to believe that encryption may not have been used.On the other hand, aside from encryption, there's very little that can be used to remotely destroy data. (The data is destroyed by losing the encryption key, making the data irrecoverable). Regardless, BCBS had already experienced a data breach, so excusing the lack of encryption is difficult to justify.Second, Macs come with free encryption. Depending on the operating system, a free copy of FileVault or FileVault2 (the latter being the true FDE solution, although the former is also a decent option) is available on MacBooks; they don't even have to be downloaded or anything. As a company that is bound by HIPAA, it's astounding that they didn't make use of it. Especially considering that using it is no different than using password protection.While BCBSNJ may have followed the letter of the law, it's debatable whether they followed the spirit of it. The Office of Civil Rights at the HHS, which is charged with investigating such incidents, may not look too kindly on BCBS if they arrive to the same conclusion.