in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA Encryption: Anthem Didn't Encrypt Data Stolen In Massive Hack

The wsj.com points out in an article that Anthem Inc, the health insurer that recently announced a massive data breach potentially affecting 80 million people, did not use health data encryption to secure the data that was stolen.  It also points out that applying encryption can be a "balancing act between protecting the information and making it useful."

80 Million People Affected

The details of the breach are as follows: Anthem Inc., which in years past was also known as Wellpoint, found last week that hackers – potentially backed by the Chinese government – broke into the health insurer's online database.  The extent of the damage is as of yet unknown although the company has admitted that all of its business units have been affected.   The company boasts 80 million members.

The stolen information includes addresses, phone numbers, names, dates of birth, and Social Security numbers.  Financial information such as credit card numbers were spared.  It is pointed out that this could be "the largest computer data breach disclosed by a health-care company," meaning that it will also be the largest breach listed on the HIPAA "Wall of Shame."  Currently, top spot is held by Science Applications International Corporation (SAIC), thanks to the 4.9 million military members who were affected when it experienced its own massive data breach in 2011.

It looks like Anthem will blow SAIC out of the water.  Interestingly enough, the company already had a run-in with the HHS before, for HIPAA data security violations: in July 2013, it settled with the HHS for $1.7 million when it was still known as Wellpoint (well, technically Anthem and Wellpoint merged).

Slowly Tilting Toward Encryption

There's a reason why HHS does not require the use of encryption anywhere and everywhere sensitive personal data is stored: sometimes, it just might not be possible.  Consider, for example, an MRI machine.  The gigantic magnetic cocoon is only part of the machine; a computer that collects and processes the data is another part.  Whether this computer can be encrypted is not really up to individual hospitals and clinics, but to the manufacturers.  Likewise, there are myriad reasons why a particular database is not encryptable (although, in this day and age, the odds of that reason being a technical one would be remote).

However, it seems that HIPAA covered entities will have to bite the bullet and find ways to ensure that all of their patient data are encrypted: forking over $1 million or more on a periodic basis, inviting the wrath of clients (and their lawsuits), having HHS/OCR oversee their operations for months on end after an incident, dealing with the consequences for years (the breach that resulted in the Wellpoint settlement of 2013 goes back to June 2010), etc. is really not worth the trouble of not using encryption, or making it a point to choose hardware that can be properly protected.

Related Articles and Sites:
http://www.wsj.com/articles/investigators-eye-china-in-anthem-hack-1423167560

 

 
<Previous Next>

HIPAA Disk Encryption: Why Would You Authorize Employees To Work From Home Without Encrypting Patient Data?

Encryption vs. Cyberinsurance: One's Risk Management, The Other's Risk Transfer

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.