in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA Laptop Encryption: Second Coordinated Health Data Breach In 30 Days

Why is PHI encryption recommended by the HHS, Office for Civil Rights, HIPAA experts, and just people in general?  It's because encryption software can act as a safety net for unforeseen data breaches, as the following story shows.

Coordinated Health, a network of hospitals that has seventeen locations all over Pennsylvania, has announced a second data breach in one month.  In the first instance, which was announced towards the end of March 2014, they were victims of an office burglary.  A free pass could be given to Coordinated, though, seeing how "someone pried open a cabinet" to steal money and patient information (although, the latter has to make you think that perhaps petty cash was not at the root of the illegal caper).

However, this second PHI breach won't illicit such sympathy seeing how an unencrypted laptop computer was stolen from an employee's car, affecting over 700 people.  With so many documented cases of laptops (or any object of value, really) having been stolen from cars, it's a wonder that we're still reading of such data breach vectors.

Email Attachment Cause of HIPAA Breach

Actually, perhaps I've misspoken on showing sympathy to Coordinated Health.  If you read the explanation of what occurred, you'll see that the cause of the HIPAA breach is ultimately tied to "an email message with an attached file of 733 patient files." (lehighvalleylive.com).

Assuming there was no other information that would violate HIPAA Security Rules, it makes sense that one wouldn't find HIPAA compliant disk encryption software on the laptop: the computer in question was not supposed to hold PHI and so most encryption solutions would have been unnecessary.  Perhaps the use of VPN would have been warranted if the laptop was serving as an endpoint for connecting to a central server, but the lack of PHI on the device itself means that HIPAA risks were significantly lowered, if not non-existent.  And, at the end of the day, that's what HIPAA is looking for: lowering risks to a manageable level.  It certainly does not require 100% protection of sensitive data.  (It would be impossible to reach the 100% mark, to be honest).

On the other hand, covered entities face, and have always faced, problems when it comes to controlling employee actions.  Computer usage policies and data security policies are drafted to delineate what is, and what is not, allowed, but people break these policies all the time, often unknowingly, sometimes purposefully.  Knowing this, does it really comes as a surprise that an employee's laptop computer contained, surprise!, PHI?

Risk analysis is great and all, but at some point you've got to wake up and smell the coffee: maybe you're risk analysis is leaving certain important parameters out.  Laptops that even have the remotest chance of storing PHI should be encrypted.

Related Articles and Sites:
http://www.phiprivacy.net/pa-patient-information-may-have-been-on-stolen-coordinated-health-laptop/
http://www.poconorecord.com/apps/pbcs.dll/article?AID=/20140423/NEWS/140429901
http://www.mcall.com/news/local/parkland/mc-coordinated-health-data-breach-20140328,0,4927782.story

 

 
<Previous Next>

HIPAA Desktop Encryption: Finally A Sign On Encrypting Non-Laptop Computers

Business Associates And HIPAA: Boston Medical Center Cuts Ties With Transcription Service Provider

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.