in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

March 2014 - Posts

  • HIPAA Lawsuit Cost: 168K PHI Data Breach Suit Filed Against Sutherland Healthcare Solutions

    Sutherland Healthcare Solutions is facing a lawsuit that’s seeking class-action status.  It is the outcome of an office burglary where computers were stolen, resulting in the loss of protected health information (PHI) for approximately 168,500 people.  PHI encryption software was not used, apparently, as one of the complaints is that the “company failed to encrypt the data stored on the computers.”

    Allegations and Compensation

    In addition to the lack of encryption software, the use of which is a core component of HIPAA’s guidelines for securing data, the lawsuit alleges that, per latimes.com, Sutherland didn’t notify patients of the data breach “in a timely fashion” and did not provide enough relief (the words “woefully insufficient” are quoted).

    The lawsuit is seeking further “compensation” in the form of:
    additional credit monitoring and credit repair services, identity theft insurance, home security systems and other costs for the patients whose data was taken. It also asks the court to order the county to require more stringent procedures to protect private and confidential data in future contracts.
    I tend to side with the ultimate victims in such cases. to be honest (“ultimate victims” because Sutherland is a victim, too, although it’s doubtful that they’ll have to worry about their credit history being trashed), but home security systems?  According to an earlier story, the following information was on the stolen computers, but free ADT services sounds like overdoing it a tad:
    The computers contained data including patients' first and last names, Social Security numbers and certain medical and billing information, and they may also have included birth dates, addresses and diagnoses. [latimes.com]
    Of course, when eight computers (and two monitors) are stolen, it’s kind of a miracle that this was the extent of the breach.

    PHI Encryption: Where Was It?

    The surprising aspect of this story, however, is the lack of encryption on these computers.  Why would they not be encrypted?  Sutherland, who did billing and collections for the state (more specifically, for LA county) would have been tagged as business associate under HIPAA rules.  This means that Sutherland would have to comply with pretty much all aspects of HIPAA, and one of the basic, core practices is to encrypt any computers that store PHI.

    It’s so basic that there really shouldn’t be a reason why people should be reminded of it.  On the other hand, people seem to have problems understanding the importance of fastening seat belts, so, perhaps I shouldn’t be surprised.

    And, Sutherland shouldn’t be surprised that they’re being sued because of it, either.

    Chances are, though, that Sutherland will win the suit before it even has its day in court.  To date, not a single lawsuit stemming from a HIPAA data breach has been won by plaintiffs.

    Related Articles and Sites:
    http://www.latimes.com/local/lanow/la-me-ln-county-medical-breach-20140314,0,6027071.story
    http://articles.latimes.com/2014/mar/06/local/la-me-patient-data-stolen-20140307
    http://www.phiprivacy.net/where-theres-a-breach-theres-a-lawsuit/
     
  • HIPAA Breach Cost: Skagit County Government Settles For $215K

    The Department of Health and Human Services (HHS) has announced a settlement over a data breach with the county of Skagit in Washington state.  While the settlement was ultimately over a number of issues -- including the inadequate protection of PHI for nearly 1,600 people -- the initial breach that instigated the settlement involved a mere seven people.  The proper use of encryption software could have prevented the entire situation, assuming it was an appropriate approach, because HIPAA regulations allow for safe harbor if sensitive data is either encrypted or destroyed.

    First Settlement with a County Government

    The HHS’s deputy director of health information privacy was quoted as saying:

    “This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size…. These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.” [phiprivacy.net]

    The message appears to be that government entities are not exempt from HIPAA rules  (obviously, they were not exempt to begin with, per the letter of the law, but there’s the law and there’s the actual practice of doing things), and the number of people being affected doesn’t really factor in on whether the Office of Civil Rights (OCR) will be going after a covered entity or not when there is a breach of HIPAA.

    Indeed, reviewing past settlements, these can involve situations that affected less than 200 people (Mass General Hospital, settled for $1 million in 2011) to over 1 million people (BCBS Tennessee, settled for $1.5 million in 2012).

    The message, then, is loud and clear (and consistent): all HIPAA breaches, regardless of how small or big, and whatever the entity may be, need to take HIPAA and HITECH amendments seriously.  There is no “pass” just because you fit (or don’t fit) a certain superficial profile.

    What to Do

    So what is a HIPAA covered entity to do?  There are many things that need to be considered.  HIPAA/HITECH guidelines are complex, long, sometimes incomprehensible, and seemingly contradictory.  However, there are certain areas where guidelines are clear, even if they’re not actually found in the regulations per se, but within the decisions that OCR has taken.

    First, ensure that PHI encryption is used when digitally storing patient information.  While the use of medical encryption programs is not a requirement, they’re not optional, either.  The rules essentially state that encryption or something as good as encryption must be used to protect ePHI.  There are loopholes to this, but the chances of a covered entity finding itself in such a situation are pretty rare.

    Second, make sure that everything is documented.  This includes the fact that you encrypted PHI.  There’s a difference between doing something and proving that you did something.  In the former, you’re taking care of your patients; in the latter, you’re taking care of yourself.  If something goes wrong, you have to be able to prove that you played by the rules.  For example, AlertBoot’s cloud-based full disk encryption and mobile device management for smartphones and tablets always (always!) generates an automatic report for each device that is protected.  The report has been used as documentation when the regulatory agencies and other overseers come around knocking.

    Third, remember that HIPAA/HITECH is not just about ePHI.  Paperwork is still based on paper, and these need to be secured in some fashion as well.

    There’s more, of course, but these should get you started in tackling some of the bigger, immediate things that need to be done.
    Related Articles and Sites:
    http://www.phiprivacy.net/wa-skagit-county-government-settles-potential-hipaa-violations/

     

     
  • Federal Data Breach Notification Law: Attorney General Calls On Congress For One

    US Attorney General Eric Holder has released a video, asking Congress to create a national data breach notification framework, citing last year's Target and Neiman Marcus data breaches that affected over 70 million people.  Currently, data breach notification laws are a mishmash of different requirements (assuming there is one.  The last time I checked 44 out of the 50 states plus Washington D.C. and a handful of US Territories had some kind of notification law).

    A federal statute, along with simplifying things for businesses, could potentially introduce the correct incentives to curtail future data breaches.  For example, HIPAA and HITECH are the main impetus behind the heightened needs for security tools like laptop encryption software and smartphone encryption and management, now that smart phones and tablets are making an incursion into the medical workplace.

    The "First" Federal Data Breach Notification Law: HIPAA / HITECH

    Although the need for such security tools is a no-brainer (just read the comment section of any news articles describing how a particular hospital or clinic lost their patients' data when a laptop, external hard drive, or USB flashdrive.  You'll find that people are remarkably informed about HIPAA and encryption) most healthcare sector businesses, and their business associates did not especially feel the need for encryption and other computer security tools.  At least, not for the first 20 years or so since HIPAA was first enacted.

    The US healthcare sector only started paying attention when a number of factors came together.

    First, the HITECH Act, which was instrumental in updating HIPAA and creating the Breach Notification Rule (BNR), went into effect.  The BNR only has two safe harbor clauses, out of which only one is usable for practical purposes: You get respite from the BNR if and only if (1) PHI data is encrypted or (2) PHI data has been destroyed.  Obviously, the latter one is not amenable for daily operations, making PHI encryption one of the founding stones when it comes to patient data protection.

    Second, the Office of Civil Rights at the Department of Health and Human Services (HHS) got new enforcement powers...and started to use them.  Along with the BNR, the HHS got the power to fine organizations that breach HIPAA for up to $1.5 million.  This alone didn't really mean much – the HHS had the power to assess fines well before HITECH, although the amounts were niggling – but soon after the amendment, a number of covered entities were fined the maximum amount in (semi) rapid succession.

    There are a number of other factors that play into the medical sector's change of stance on data protection – the dropping of the harm threshold, the direct inclusion of business associates into the HIPAA fold, the fact that data breaches really have the potential to result in harm to the patients, etc – but the above two were the main drivers.

    If an official federal breach notification law is proposed, chances are it will take and apply these lessons learned, meaning that carrots as well as sticks will be offered.  This is a big change from the various state laws that are in place, where some are aggressive (like Nevada and Massachusetts, as well as Texas) and others are not.

    The One Thing I Took Exception At

    There is one thing that took me aback while watching AG Holden's message.  On the issue of data breaches, the AG noted that "they have the potential to impact millions of Americans every year."

    The US Attorney General is a busy man, so I don't doubt that certain things will escape his notice, but I'm pretty sure he must know that the word "potential" in his statement is not only superfluous but misleading.  Millions of Americans are already being impacted each year by data breaches, and have been for quite some time.
    Related Articles and Sites:
    http://www.nacsonline.com/News/Daily/Pages/ND0303142.aspx
    http://www.justice.gov/agwa.php
     
More Posts « Previous page