in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA Mobile Encryption: OCR Director Says Encryption Is Your Best Defense

Looking over my newsfeed, I see that many healthcare-focused sites have been proclaiming that the Feds are getting serious over missing laptops and pushing the story on the importance of HIPAA laptop encryption.  Earlier this month, the Health and Human Services Department's Office for Civil Rights (OCR) announced million-dollar settlements with Concentra Health Services and QCA Health Plan.

The former settled for approximately $1.7 million, while QCA agreed to a $250,000 settlement.  The latter's settlement pales in comparison to Concentra's (or to the other two big HIPAA settlements this month, New York Presbyterian Hospital and Columbia University Medical Center: $3.3 million and $1.5 million, respectively).

Indeed, on the surface of it, the latter's penalty is confusing because QCA appears to have been more negligent.

Fines Up to $1.5 Million

You may have noticed that Concentra's fine goes over the $1.5 million so-called "monetary penalty cap" under HIPAA.  This is not the first time something like this has happened.  NY Presbyterian, as I noted above, paid $3.3 million for its data breach and Cignet Health in Maryland was fined $4.3 million.  The unexpectedly high dollar figures are easily explained.  The cap is "per incident."  If Concentra had engaged in multiple HIPAA violations, then the sum of the penalties associated with these violations is not limited to just $1.5 million, although that is the limit for each HIPAA violation (not to be confused with each data breach).

OCR deputy director of health information privacy, Susan McAndrew, had this to say regarding Concentra and QCA settlements:  "Our message to [HIPAA covered entities] is simple: Encryption is your best defense against these incidents."

But there may be more that the OCR wants to tell us.

Laptop Theft in Car < Laptop Theft in Premises?

Another thing that should attract your attention is the location where the respective data breaches took place.  QCA's unencrypted laptop was stolen from an employee's car, a classic no-no.  Concentra's unencrypted laptop was stolen from one of its facilities.

This could be a warning to covered entities that falsely assume they can skimp on encryption if data is not expected to be taken out of their security perimeters, among other things (such as properly documenting everything).

Related Articles and Sites:
http://www.nixonpeabody.com/files/168808_HIPAA_Alert_24APR2014.pdf

 

 
<Previous Next>

Smart Phone Protection: Minnesota Introduces Mobile Kill Switch Bill

Data Security: eBay Has Data Breach, Asks Users To Change Password

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.