in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA Encryption: Latest HHS/OCR Settlement Underscores Follow-through, Patching, & Vigilance

Anchorage Community Mental Health Services (ACMHS) has settled with HHS/OCR over potential violations of HIPAA.  Of course, HIPAA settlements are not interesting in of themselves, per se, but because of the accusations that led to them.  In this particular instance, it appears that the covered entity was hammered for not updating their software and keeping an eye on potential data security risks.  The implication for medical disk encryption is that the installation of cryptographic solutions on laptops and other mobile devices is not the end of a covered-entity's encryption operations.

Regularly Update IT Resources

ACMHS's problems started when malware compromised the covered-entity's systems in 2011.  Over 2,500 people were affected by the data breach and OCR opened an investigation.  The investigation revealed that:
…ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.
An OCR director had this to say regarding the case:
"Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis…This includes reviewing systems for unpatched vulnerabilities and unsupported software..."
Of course it is common sense to check how things are periodically.  With this latest action, however, the implication is that it's more than that.  It has veered from being common sense to a duty.  If I'm reading correctly between the lines, if you're not checking to make sure things are secure, the OCR will go after you.

Which makes sense.  After all, HIPAA requires that covered entities (and business associates) be proactive regarding PHI security.  That's why CEs are supposed to conduct a risk assessment each time risk conditions change.  That's why they dangle safe harbor as a carrot for any laptops that are lost but happen to be protected with strong encryption.  It's why Security Rule policies are supposed to undergo review periodically.

The Disk Encryption Conundrum

When it comes to disk encryption software, most IT departments tend to check on a couple of things such as (1) whether their machines are, in fact, encrypted and (2) if there are any machines that are not encrypted but should be (e.g., a comparison between the list of encrypted machines and how many machines are actually being used).  In keeping with Security Rules, they may run an audit periodically.  My guess is one would be hard pressed to find a CE's IT department that also keeps up with encryption bugs and other obscure things as well.  After all, the average IT department is busy with day-to-day operations; they don't have the time to stay on top of issues that rarely pop up.

It doesn't happen often but encryption software can need fixes, too.  Could this "lack of upkeep" come back to haunt a CE?  I imagine that the answer is "no," but who's to say what's going to happen in the future?  One thing I can foretell is that CEs who've outsourced their disk encryption will be in a better position because encryption shops stay abreast of such issues.

Related Articles and Sites:
http://www.phiprivacy.net/hipaa-settlement-underscores-the-vulnerability-of-unpatched-and-unsupported-software/

 
<Previous Next>

Data Encryption Security: Target Unable To Stop Banks From Suing Over 1-Year Old Data Breach

HIPAA Laptop Encryption: Corvallis Clinic Announces Data Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.