One of the advantages of using encryption software, if you're in the healthcare field, is that the loss of cryptographically secured sensitive data is given protection from HIPAA/HITECH's Breach Notification Rules. If not encrypted, you must notify the HHS's Office for Civil Rights within 60 business days of discovering the data breach. However, there is one caveat: if the number of people affected by the data breach is less than 500, it is not necessary to do so.
This is not to say that HIPAA covered entities don't need to report such data breaches. Rather, they don't need to report the breaches within the specified 60 business days. Instead, covered entities are supposed to keep a log of all incidents affecting less than 500 patients and send one package at the end of the year.This, among other things, is meant to keep the HHS/OCR from being inundated by too many incidents, and allow them to focus on those issues that require "immediate" attention.And past government reports justify the approach: while the "Wall of Shame" at the HHS/OCR website lists a little over 1,000 breaches since it began tracking (since 2009) instances where more than 500 people were affected, reports show that tens of thousands of covered entities have sent in breach reports in the same period if you include breaches involving less people.
So, by when does one need to notify the HHS/OCR about incidents covering less than 500 PHI?By the end of the second month of the year after. Weird, right?I guess an example would illustrate what that means: if you had a data breach, that involves less than 500 people, at any time in 2014, you need to notify OCR by the end of February 2015. In other words, before the next month is over.
There are brazen thieves and then there is this guy: video footage from a security camera obtained by krgv.com shows a middle-aged man leisurely strolling back to his stolen truck with a stolen computer under his arm. It's because of instances like these that the use of HIPAA-grade disk encryption like AlertBoot's managed encryption services are strongly encouraged by the Department of Health and Human Services.
Sunglo Home Health Services, in Harlingen, Texas, has gone public with a data breach. According to news reports, a burglar stole a van from the organization in the morning. Later that night, the man drove back to the scene of the crime and stole what appears to be a desktop computer.Apparently, this man knew what he was doing because the surveillance footage doesn't show him hurrying at all. He unhurriedly gets off the van, slowly walks in the direction of the offices, and is later shown walking back to the van with a computer monitor (or possibly one of those all-in-one computers). He doesn't throw his ill-gotten gains into the vehicle and peel off. Oh, no. He has the gait of a person who's supposed to be there. Nothing to watch here, folks. Just moving a computer in the middle of the night.
Sunglo has notified thousands of patients that they are at risk. Considering the circumstances – admitting to a breach would put Sunglo in trouble with the federal and local governments, not to mention their own clients (which, admittedly, is not Sunglo's fault. Let's not blame the victim here) – it looks like the stolen computer did not use data encryption: HIPAA/HITECH provides safe harbor if encrypted patient data is lost or stolen.Furthermore, the state of Texas also provides safe harbor in those instances where encrypted sensitive data is lost or stolen.Plus, lets not forget that the US is known as a lawsuit-happy place for a reason.In other words, there a lot of motivation to taking advantage of any existing safe harbor provisions. That Sunglo has not strongly indicates that they couldn't, not that they wouldn't.
This is not to say that Sunglo didn't have any data security provisions in place. According to the krgv.com report, their IT director is continuously checking to see if the computer comes on-line. In other words, they have some kind of internet-based tracking application installed on the stolen computer. And that is great and all, but it doesn't do as much as other security tools could. Online tracking may eventually lead to the thief – if one's lucky. But it cannot stop the thief from accessing the computer, copying the data, and uploading it to a hacker board before the cops show up.And even if the computer is retrieved, the incident counts as a data breach – so, again, the advantages of using a proactive data security system like encryption is easily confirmed.
(Update Jan 23: Apparently, the DOJ has proposed changes so that publishing weak password lists will become a felony.)
At either the start or end of the year, a security company somewhere in the intertubes can be found publishing a list of the top "most popular" passwords (usually the top ten). These lists, compiled by culling the passwords from multiple data breaches, tend to also be a list of the weakest passwords. Why the weakest? Because the top ten passwords are the most often used ones; this in turn means that hackers looking to break into accounts will try these passwords first before any others.It's the law of large numbers in action: if the top ten passwords comprise, say, 5% of all passwords used by a (statistical) population, chances are that 1 in 20 of accounts you try to break into will use one of those ten passwords.There's a slight problem with these lists, though. They aren't the top ten passwords for this year (that is, 2014 per this post) even if the article claims that they are. Heck, chances are that they're not the top ten passwords for 2013. The passwords that were used to compile these lists are, for the lack of a better word, dated.
Storage for digital data is cheap: the price decrease for data storage, on a per byte basis, has paralleled Moore's Law. The benefactors of this downward price pressure, among others, have been the many Silicon Valley startups-turned-behemoths: they collect, store, and process data (with most looking to serve you personalized ads). The foundation of their billions in market capitalization and revenue is founded on cheap storage.And while storage is cheap, going through data and deleting what's not needed anymore? When factoring in the human element, not so cheap. Consequently – and, although legal reasons factor into this as well – most companies have an unofficial policy where nothing ever really gets deleted, including passwords.
Of course, this is not to imply that companies keep your passwords for the sake of keeping your passwords. Rather, it's a collateral effect. For example, if a company like Google makes it a point to not delete email accounts that haven't been accessed in more than 5 years (which is a pretty strong indication that these accounts have been abandoned), the passwords will remain in place. Passwords that are 5 years old, at least. This is true for lesser-known companies, too.What this means is that, if a company were to experience a data breach and a massive cache of passwords are stolen, chances are that it's chock full of old passwords. So, the oft-quoted passwords like "password123" and "trustno1" may actually be not part of the top passwords. Indeed, trustno1 – which has been showing up on password lists since around the late 1990s, thanks to the popularity of the TV series "The X-Files" – seems particularly like an anachronism, and emblematic of the "hacked database contains a lot of abandoned accounts and their passwords" situation I'm describing. The show has been off the air since 2002, after all.
The problem of excluding old, unused, and invalid passwords from top ten lists cannot be easily resolved: most researchers compiling such data work with leaked data, which tends to be comprised by (1) an email address and (2) a password (hashed or plaintext). I don't think I've ever run across a case where "created" and "password last changed" dates are also offered. And you can't really ask people for their passwords.
There is also reason to believe that the situation is not as dire as these lists make them out to be. Sure, "password123" is a terrible password. But that's not really the point. The real question people should be asking is "where are these passwords used?"If "password123" is a top ten password used by people to access their work emails, that's probably problematic; if it's used to leave snarky comments on a celebrity gossip site, not so much.
New York Attorney General Eric T. Schneiderman announced last week that he will be pursuing updates to the state's data security laws. Among the proposals are changes to the legal definition of "personal information"; introducing safe harbor for companies that meet security standards; and encouraging the sharing of forensic data. It sounds as if security software like AlertBoot's cloud-managed laptop encryption services will be even more important in the future.
When I started to look into the new proposal, I specifically looked for language on whether the use of encryption software would provide safe harbor to organizations experiencing a data breach. Going as far back as 2003, when California became the first state to enforce a breach notification law, the use of encryption provided companies with protection if they lost a laptop or had their computers stolen during a break-in.New York did not provide such safe harbor as of 2007. At least, not that I can recall. I remember thinking it was odd, seeing how the finance sector in the so-called "finance capital of the world" has been making use of computer encryption since at least the mid 1990s. Its constituents would have appreciated the immunity without a doubt.I found out, however, that the use of encryption as safe harbor was already in the books:§ 208. Notification; person without valid authorization has acquired private information. 1. As used in this section, the following terms shall have the following meanings:(a) "Private information" shall mean personal information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired:Not only is it in the books, it's actually a good one. One of the earliest criticisms regarding encryption as safe harbor was that provisions were lacking for instances where the encryption key or password was compromised. Obviously, the use of encryption doesn't provide any security under such a scenario, and the laws ought to reflect that (as is the case for New York).The new proposals look to augment on this, apparently. Using "reasonable" security measures (administrative, technical, and physical safeguards) will be required.
§ 208. Notification; person without valid authorization has acquired private information. 1. As used in this section, the following terms shall have the following meanings:(a) "Private information" shall mean personal information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired:
In addition to passing legal requirements, organizations will be incentivized to implement data security solutions. It looks to be a little complicated, though:…. offer a safe harbor if a company adopts a heightened form of security. To comply… the entity would be required to attain a certification and, upon doing so, would be granted the benefit of a safe harbor that could include an elimination of liability altogether.
…. offer a safe harbor if a company adopts a heightened form of security. To comply… the entity would be required to attain a certification and, upon doing so, would be granted the benefit of a safe harbor that could include an elimination of liability altogether.
Last but not least, the law would provide incentives so that organizations affected by a data breach will go to the authorities, as opposed to keeping a lid on the situation. It is quite the perceptive rule, that one.
Related Articles and Sites:http://www.ag.ny.gov/press-release/ag-schneiderman-proposes-bill-strengthen-data-security-laws-protect-consumers-growing
A data breach can be a devastating experience. Even more so if the breach involves a particular profession where privacy, anonymity, and secrecy happen to be paramount. That's why a medical data breach hits people more closely than a retailer's data breach. And why a data breach involving the legal profession seems even more alarming. And yet, the use of disk encryption on lawyers' laptops is not a requirement. Which means news like the following can be expected for the foreseeable future.
According to databreaches.net, the law offices of David A. Krausz in San Francisco, CA experienced the theft of a laptop computer that contained sensitive data, including personal information. California, being the bellwether when it comes to data breach notifications and other personal data security issues, requires breached entities to get in touch with affected people, as well as the California State Attorney General.That is, only if the data was not protected with encryption software. If the data had been protected by the likes of AlertBoot's managed disk encryption solutions, a notification letter (to the potential victims or the AG) is not necessary as the law provides safe harbor.The theft took place on January 6, 2015 – possibly making it the very first reported data breach in California for the new year – and notification letters appear to have been sent on the 12th. That's actually a very fast response and Krausz should be complimented on their alacrity.On the other hand, there's much to be desired about the circumstances relating to the breach itself. As databreaches.net points out, where did it occur? Was the laptop stolen from someone's car? (If so, Krausz is in good company. Laptops left in vehicles are probably one of the leading causes of laptop thefts).Was it stolen from their offices? If so, perhaps we can give Krausz a little leeway (but not too much).
Why not too much? Because it is claimed that they "take [their] obligation to serve [their] current and former clients very seriously and [they] are committed to protecting your privacy at the highest level possible."The highest level possible, it seems to me, would involve using encryption software or other technological precautions. Of course, lacking particular details, it could very well be that they do, but this particular laptop was missed in the effort. And, we cannot proscribe the possibility that Krausz is sending notifications despite having used encryption to protect its clients' data.But this seems a tad improbable. What lawyer would invite the potential for lawsuits? Because that's what generally happens when you notify someone that you have lost their sensitive data: lawsuits are filed.At the end of the day, though, it feels like either their regulatory body or the laws are to blame. It's not a secret that, when given a choice, people tend to lean towards not securing sensitive data. Perhaps people feel secure. Or perhaps they don't think it will happen to them. Or perhaps they think that the investment won't be worth it – better to deal with the breach if it comes. But make it a requirement, like New Jersey recently did for health insurance providers, or like HHS/OCR does for any entities that are covered by HIPAA/HITEHC, and the story changes.Perhaps President Obama's recent proposal for a national data breach notification law will prompt some changes.
The new year brings us surprises. According to nj.com, New Jersey governor Chris Christie has signed into law a requirement that health insurance companies encrypt client information. As nj.com points out, The Garden State has been witness to a couple of massive data breaches in the past couple of years – incidents that could have been prevented with the appropriate use of cryptographic solutions like AlertBoot managed disk encryption for laptops and desktops.
The bill that was signed into law carries a number of definitions, of which I'll point out two:Computerized record means any record, recorded or preserved on any computer, computer equipment, computer network, computer program, computer software, or computer system.The word "record" is not defined, but it's obviously a reference to things like personal information:Personal information means an individual's first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver's license number or State identification card number; (3) address; or (4) identifiable health information. Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated dataAnd, finally, a definition of what comprises an end user computer system:End user computer system means any computer system that is designed to allow end users to access computerized information, computer software, computer programs, or computer networks. End user computer system includes, but is not limited to, desktop computers, laptop computers, tablets or other mobile devices, or removable mediaThe inclusion of desktops is unusual. Of course, the definition is very conventional and straightforward as well, if you will. After all, desktop computers are end user computer systems. But its inclusion means that many, if not all, health insurance companies in New Jersey will have force their IT departments into a flurry of activity, as we shall see shortly.
Computerized record means any record, recorded or preserved on any computer, computer equipment, computer network, computer program, computer software, or computer system.
Personal information means an individual's first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver's license number or State identification card number; (3) address; or (4) identifiable health information. Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data
End user computer system means any computer system that is designed to allow end users to access computerized information, computer software, computer programs, or computer networks. End user computer system includes, but is not limited to, desktop computers, laptop computers, tablets or other mobile devices, or removable media
According to the bill's language, a health insurance provider:shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person. Compliance with this section shall require more than the use of a password protection computer program, if that program only prevents general unauthorized access to the personal information, but does not render the information itself unreadable, undecipherable, or otherwise unusable by an unauthorized person operating, altering, deleting, or bypassing the password protection computer programandThis section shall only apply to end user computer systems and computerized records transmitted across public networksProps to his law for indirectly educating people that there is a difference between encryption and password-protection! And for other things as well. As we've seen from the previous section, "end user computer system" includes desktops, laptops, tablets, smartphones, USB drives, and other devices. Combine it with the above and it leads to only one conclusion: health insurance companies will have to encrypt any of the aforementioned devices if these store personal information.This is huge news because, per my personal experience, rarely does a company decide to encrypt its desktop computers. Reasons are myriad, but basically it comes down to the belief that desktops are not burglary targets. This belief is, of course, wrong. As a guy whose newsfeed is geared towards collecting stories of data breaches, I can tell you that desktop computer thefts happen more often than anyone is willing to believe.And, when they happen, they tend to involve more than a handful of them. It's like nobody has placed any thought on securing desktop computers, so once the thieves can get to one desktop, they can steal as many as they can lay their hands on.
shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person. Compliance with this section shall require more than the use of a password protection computer program, if that program only prevents general unauthorized access to the personal information, but does not render the information itself unreadable, undecipherable, or otherwise unusable by an unauthorized person operating, altering, deleting, or bypassing the password protection computer program
This section shall only apply to end user computer systems and computerized records transmitted across public networks
The above law also places companies that allow the use of smartphones in an awkward spot. If the company issues smartphones and tablets to their workers, it's not a problem. However, if they allow BYOD programs, then companies will have to find a way to ensure that employee devices are properly secured