I find it fascinating that two different companies can have such disparate reactions to a PHI data breach that occurred under similar conditions. Consider two entries at phiprivacy.net, where computers were stolen, triggering a HIPAA breach (obviously, the use of managed HIPAA encryption software like AlertBoot was neglected; otherwise, there wouldn't be a HIPAA breach).Self Regional Healthcare and Haley Chiropractic of Tacoma reported data breaches where laptops were stolen during a burglary of office premises. Haley Chiropractic announced that 6,000 patients were affected, three computers were stolen, and that it doesn't "believe there is a high risk of misuse of the information." How can Haley Chiropractic substantiate their conclusion? They can't. They have absolutely no data.Self Regional Healthcare, on the other hand, reported that one laptop was stolen, reportedly less than 500 people were affected, and that it "must assume there is a possibility that someone may have accessed certain patients' protected health information," despite the fact that the thieves were apprehended and "claimed never to have accessed the laptop."
You know how you know there is a low risk of data being accessed on a stolen computer? If you use encryption software to protect the data. Otherwise, making such a claim should be illegal because it only serves to confuse people. You could say it confuses the most vulnerable people, since skeptical people would ignore such a blatantly self-serving statement and do what it takes to ensure they're protected.While I'm not sure what Haley Chiropractic is doing to prevent future recurrences, it turns out that Self Regional Healthcare has deployed encryption on laptops since the incident.It's not surprising, when you consider how they've reacted to their data breach.
When it comes to data breaches and the legislation governing them, you can divide the laws into two different camps: the ones where a monetary penalty is assessable and the ones where it isn't. The use of data security software like AlertBoot managed disk encryption for laptops can provide safe harbor from such fines, which many view as a positive exemption to a well-designed legal policy – that is, it encourages a good data security practice. However, there are many who wonder whether the use of financial incentives is the correct approach to stemming the growing tide of data breaches.Wouldn't it be better if the money is used for IT upgrades, employee education programs, hiring outside experts, etc. – as opposed to filling the coffers of government agencies?An outside survey commissioned by the Information Commissioner's Office (ICO) in the UK seems to suggest that the answer is "no." There is nothing that attracts more attention to the issue or prods people to clean up their act than the transfer of dollars (or Pounds sterling, as it were).
The survey, commissioned by the ICO and carried out by SPA Future Thinking, involved a total of 99 organizations: 14 that received a Civil Monetary Penalty (CMP) notice and 85 online survey takers who decided to participate.The ensuing report is quite long (60 pages) but organized in the way of a PowerPoint presentation, so reading it is less arduous than you may believe.Ultimately, this is the point and conclusion of the report: the CMPs work as designed. It spurs affected organizations to increase awareness of the importance (and duty) they have when it comes to protecting personal data, up and down the entire organizational hierarchy. Furthermore, other organizations in the same or similar sectors are also provoked to upgrade their security, because of fears that they, too, could be on the wrong end of an ICO monetary penalty notice. (Apparently, it's not uncommon knowledge that anyone can be the victim of a data breach.)One of the most notable results of a CMP is that there is more "buy-in" for data protection from senior management after the fine. (And the breach itself, it is argued by some. But, honestly, the latter requires a comparison with companies that had a data breach but weren't issued a CMP, which were not part of the survey).There are also claims that the reputational hit that an organization took had more of an impact on effecting changes than the financial penalty. This is contradicted, however, by overwhelming admissions that the reputational hit was either short-lived or nearly non-existent. In addition, I note that nobody – absolutely nobody – appears to have complained about their reputation being sullied but a significant majority had some choice words about the fines.Overall, the report is a pretty interesting read but nothing about it appears to be earth-shattering.
This report is the only one of its kind, as far as I know: Reports that try to show the effects of HIPAA fines, FINRA fines, state fines / settlements (e.g., Massachusetts's AG has extracted "financial concessions" on a number of companies), and other penalties similar to the ICO's CMP are non-existent. However, I feel that if any reports I missed were to come to my attention, they'd show the same conclusion.At AlertBoot, we've personally found that HIPAA's Final Omnibus Rule appears to have had a significant impact on covered entities and business associates. We've seen a growing adoption of full disk encryption as well as increases in inquiries beginning around this time last year, which represents approximately 60 days prior to the Final rule taking effect. It is still strong, although we've seen a boost due to TrueCyrpt's recent troubles.With such results, it's hard to argue against monetary penalties. When stern warnings and carrots don't work, it's time to start carrying a large stick and speaking softly.
Do you like to gamble? If you’re hitting the local casino for a fun night out, more power to you. But if you’re gambling with your clients’ information, you’re bound to lose. Many people think breaches and security issues only affect giants like Target. The truth is that your business could be just as vulnerable if you don’t take the necessary precautions. Whether your company consists of five employees or 5,000, security should be built in from the start. In this article, Tim Maliyil explains why small businesses need to ensure their data is protected and the steps they can take to secure it.
Women & Infants Hospital of Rhode Island has settled with the Massachusetts Attorney General's office over a 2012 data breach that ended up affecting more than 12,000 people in Massachusetts. The hospital has agreed to pay $150,000 – $110,000 in civil penalties, $25,000 for attorney's fees, and $15,000 to a fund – and agreed to prevent future data breaches, according to narragansett.patch.com. This is the type of risk a HIPAA covered entity is setting themselves up for if they do not use HIPAA compatible encryption to protect their PHI.
In April 2012, Women & Infants Hospital came to the unmistakable conclusion that they were missing backup tapes used to store names, SSNs, ultrasound images, and other data classified as protected health information (PHI) under HIPAA. The tapes were meant to be sent off-site and then transferred to a "new picture archiving and communications system." Instead, these went missing.In addition, the hospital discovered the breach in April 2012 but didn't notify the Massachusetts AG's office until the fall of 2012. Because HIPAA requires notification no later than 60 calendar days since the discovery of the breach, Women & Infants Hospital ended up breaking another HIPAA rule.
It is commonly known that the use of encryption software provides safe harbor from HIPAA requirements like the above, protects PHI, and counts towards state and other federal data protection requirements.And yet, many covered entities are still delaying the deployment of data protection tools or looking for excuses not to deploy them at all. Reasons are myriad, ranging from cost to complexity in implementing them.However, it's becoming clear as time goes by that the costs of not encrypting PHI could be much higher – although delayed to a later date – and that there is more complexity involved when encryption is not employed (inventorying hardware may be simpler than encrypting them, but it's certainly not easier).
Another incident that shows the importance of using HIPAA encryption software on desktop computers. In addition, it shows why full disk encryption is preferential to file encryption.
Bay Area Pain Medical Associates, according to phiprivacy.net, has contacted patients that three desktop computers with patient data were stolen in May of this year. Because HIPAA/HITECH provides safe harbor from the Breach Notification Rule for any PHI (protected health information) that is guarded with encryption software, one can assume that the information was not properly protected.The assumption in this case would be partially wrong.According to the notification letter Bay Area Pain Medical Associates is sending out, "all medical records were encrypted and inaccessible, [however] we believe one Excel spreadsheet containing approximately 2,780 patient names" was not.What we can tell from this admission is that full disk encryption was not used, as this particular encryption technology protects a computer's entire hard drive (the hardware where data is stored for the long term). Chances are, file encryption was used to protected individual files (or possibly, folder encryption, where a select folder or folders are encrypted, along with anything that is placed inside of it).
Does this mean that disk encryption is superior to file encryption or folder encryption?Not quite.They have different uses. If you're looking to protect your files from being stolen wholesale (i.e., a stolen computer triggers a HIPAA breach), then disk encryption is a no-brainer. However, disk encryption cannot protect a person from instigating other types of HIPAA breaches. For example, if a file has to be sent via email, disk encryption cannot help – the correct tool would be to use file encryption.Just like a chef has a number of different knifes that essentially do the same thing (cut stuff), there are different encryption tools that are made for a particular purpose. The correct approach to data security is to use these as needed.
Penn Medicine Rittenhouse has contacted approximately 600 people, alerting them of a data breach. It's one of those instances where advanced IT couldn't have really helped (paper documents were stolen), but it does lend to the following question: are we to really believe that laptop thefts from medical establishments are for the hardware and not the patient data contained within?
Someone broke into Penn Medicine Rittenhouse's premises last month and stole receipts that contained information on patients. Thankfully, the information found on these receipts were truncated (and, especially important, sensitive information wasn't on them at all). According to philly.com:"The receipts did not include social security numbers, diagnoses, insurance numbers or full credit card numbers. They did show varying information, including combinations of patient name, date of birth and the last four digits of credit card numbers."Of course, names and dates of birth can be used to perpetrate fraud as well; however, a bit more effort is required to do so, and chances are only that holding basic information will lead criminals to consider seeking other victims whose sensitive information is easily accessible. Possibly, this is what the particular thief that burgled Penn Medicine Rittenhouse decided as well. Hence the discarded receipts on hospital grounds: once he saw that easily monetized information (such as SSNs) was missing, he just dumped the whole batch.
"The receipts did not include social security numbers, diagnoses, insurance numbers or full credit card numbers. They did show varying information, including combinations of patient name, date of birth and the last four digits of credit card numbers."
Perhaps it's not surprising that such data breaches, where paper documents are stolen, are increasing. After all, we're living in the Information Age, and turning data into cash – regardless of what form that data takes – has been a viable business for a while. (Perhaps, a reason that should be factored in its growth is that securing paper documents remains in the information Dark Ages – we still use the same technology we used in the 50's and earlier – whereas digital data is becoming easier to secure at a fraction of the complexity and price. Also, a lot more focus is spent of protecting digital data, meaning physical data is falling to the wayside).Consider, too, that so-called "insider attacks," where people who are routinely given access to sensitive data as part of their employment, are also growing as data breach vectors.Which makes me wonder: what percentage of laptops, and other computer hardware that store information, are stolen for the information stored in them? When you read of HIPAA data breaches revolving around stolen hardware, the breach notification letter always states something along the lines of "we believe that the theft was motivated by the hardware." That is, the thieves were looking to make a quick buck by reselling the laptop ASAP.Now, this makes sense if the laptop was stolen from an unmarked car. But what if it was stolen from a clinic or general hospital or other medical facility? Or an ambulance? Or the house of a person who is well-known in the neighborhood for being a neurosurgeon? Are we really to believe that obtaining patient information is to be factored as a zero behind the theft's motivation? And so the risk of a patient's data being used for fraud is also very low?In an era where more and more PHI data breaches are being directly attributed to the theft of patient data, and not as an indirect consequence of an alternate criminal intent, believing that the theft of a laptop was for the hardware is an untenable position.Thankfully, updated HIPAA regulations make such beliefs a moot point: under the final rules, HIPAA covered entities are instructed to assume that the loss of a laptop is tantamount to a PHI data breach, unless it can be proved that the risk is provably low. (For example, because laptop encryption was used to secure the endpoint device).