Another incident that shows the importance of using HIPAA encryption software on desktop computers. In addition, it shows why full disk encryption is preferential to file encryption.
Bay Area Pain Medical Associates, according to phiprivacy.net, has contacted patients that three desktop computers with patient data were stolen in May of this year. Because HIPAA/HITECH provides safe harbor from the Breach Notification Rule for any PHI (protected health information) that is guarded with encryption software, one can assume that the information was not properly protected.The assumption in this case would be partially wrong.According to the notification letter Bay Area Pain Medical Associates is sending out, "all medical records were encrypted and inaccessible, [however] we believe one Excel spreadsheet containing approximately 2,780 patient names" was not.What we can tell from this admission is that full disk encryption was not used, as this particular encryption technology protects a computer's entire hard drive (the hardware where data is stored for the long term). Chances are, file encryption was used to protected individual files (or possibly, folder encryption, where a select folder or folders are encrypted, along with anything that is placed inside of it).
Does this mean that disk encryption is superior to file encryption or folder encryption?Not quite.They have different uses. If you're looking to protect your files from being stolen wholesale (i.e., a stolen computer triggers a HIPAA breach), then disk encryption is a no-brainer. However, disk encryption cannot protect a person from instigating other types of HIPAA breaches. For example, if a file has to be sent via email, disk encryption cannot help – the correct tool would be to use file encryption.Just like a chef has a number of different knifes that essentially do the same thing (cut stuff), there are different encryption tools that are made for a particular purpose. The correct approach to data security is to use these as needed.
Penn Medicine Rittenhouse has contacted approximately 600 people, alerting them of a data breach. It's one of those instances where advanced IT couldn't have really helped (paper documents were stolen), but it does lend to the following question: are we to really believe that laptop thefts from medical establishments are for the hardware and not the patient data contained within?
Someone broke into Penn Medicine Rittenhouse's premises last month and stole receipts that contained information on patients. Thankfully, the information found on these receipts were truncated (and, especially important, sensitive information wasn't on them at all). According to philly.com:"The receipts did not include social security numbers, diagnoses, insurance numbers or full credit card numbers. They did show varying information, including combinations of patient name, date of birth and the last four digits of credit card numbers."Of course, names and dates of birth can be used to perpetrate fraud as well; however, a bit more effort is required to do so, and chances are only that holding basic information will lead criminals to consider seeking other victims whose sensitive information is easily accessible. Possibly, this is what the particular thief that burgled Penn Medicine Rittenhouse decided as well. Hence the discarded receipts on hospital grounds: once he saw that easily monetized information (such as SSNs) was missing, he just dumped the whole batch.
"The receipts did not include social security numbers, diagnoses, insurance numbers or full credit card numbers. They did show varying information, including combinations of patient name, date of birth and the last four digits of credit card numbers."
Perhaps it's not surprising that such data breaches, where paper documents are stolen, are increasing. After all, we're living in the Information Age, and turning data into cash – regardless of what form that data takes – has been a viable business for a while. (Perhaps, a reason that should be factored in its growth is that securing paper documents remains in the information Dark Ages – we still use the same technology we used in the 50's and earlier – whereas digital data is becoming easier to secure at a fraction of the complexity and price. Also, a lot more focus is spent of protecting digital data, meaning physical data is falling to the wayside).Consider, too, that so-called "insider attacks," where people who are routinely given access to sensitive data as part of their employment, are also growing as data breach vectors.Which makes me wonder: what percentage of laptops, and other computer hardware that store information, are stolen for the information stored in them? When you read of HIPAA data breaches revolving around stolen hardware, the breach notification letter always states something along the lines of "we believe that the theft was motivated by the hardware." That is, the thieves were looking to make a quick buck by reselling the laptop ASAP.Now, this makes sense if the laptop was stolen from an unmarked car. But what if it was stolen from a clinic or general hospital or other medical facility? Or an ambulance? Or the house of a person who is well-known in the neighborhood for being a neurosurgeon? Are we really to believe that obtaining patient information is to be factored as a zero behind the theft's motivation? And so the risk of a patient's data being used for fraud is also very low?In an era where more and more PHI data breaches are being directly attributed to the theft of patient data, and not as an indirect consequence of an alternate criminal intent, believing that the theft of a laptop was for the hardware is an untenable position.Thankfully, updated HIPAA regulations make such beliefs a moot point: under the final rules, HIPAA covered entities are instructed to assume that the loss of a laptop is tantamount to a PHI data breach, unless it can be proved that the risk is provably low. (For example, because laptop encryption was used to secure the endpoint device).
Orangeburg-Calhoun Technical College, known as OCtech, has issued a press release alerting students and faculty that a laptop was stolen from the school's premises. They make it a point to note that sensitive data on the laptop was stored in a not so "easily recognizable format"; however, it is questionable whether that refers to something akin to managed laptop encryption from AlertBoot.While encryption software turns information into a format that is not easily recognizable, it's also true that, technically, information that is stored as plaintext (i.e., easily readable by a person) is also stored in a similar manner. After all, how many of us can read a string of ones and zeroes?So, is this not "easily recognizable format" a reference to encryption or not? I'm guessing not.
In many ways, OCtech can be excused over the data breach. After all, it's not as if the laptop was stolen from an employee's car that was left unlocked, or because somebody mistakenly uploaded the information to an unsecured server. It was a victim to an everyday crime that has been proven to be impossible to uproot since time immemorial.On the other hand, this one laptop did end up affecting about 20,000 former and current students and faculty members, according to databreaches.net. To make it worse, it turns out that the data was sensitive in nature: among other things, SSNs were stored. Granted, some researchers have found that the price of an individual's SSN is priced lower than a cup of latte, but its value is much higher, just like the price of a commodity (copper, beef, SSN) is lower than a value-added product (telecommunications cable, steak at a frou-frou foodie locale du jour, IDs that make use of a real SSN).And what was protecting this valuable information? Password-protection. The so-called "protection" that can be easily compromised via a Linux Distro CD, a Windows recovery CD, slaving the hard drive to another working computer, buying a software program (or service) that can brute force the password, etc. – in other words, not really protection at all.
Unlike password-protection, encryption makes it a point to conceal information. Not only does it make it so "data is not stored in an easily recognizable format," it converts is so that it is hard to recognize. The difference is night and day.It's the reason why most data breach notification laws give a free pass for information that is lost or stolen. It's the reason why certain countries have laws that give the state to incarcerate people who won't give up their encryption passwords. It's the reason why until a decade or so ago, encryption was classified as a weapon that could be banned from being exported (and in some countries, imported).Had OCtech used encryption, they would have gotten a free pass under South Carolina law. Indeed, it's this one fact alone (combined with the fact that they didn't outright mention encryption) that I conclude that the stolen password was not encrypted.Instead of being given a free pass, now they have notify 20,000 people which is costly in of itself – yes, a lot of postage, but there will also be other expenditures. OCTech willl probably also have to spend time and money in supporting any investigations by the state's Attorney General. There's also a pretty good chance that they'll have to defend themselves against a lawsuit – with 20,000 people affected, you can bet someone's going to launch legal action against OCtech, regardless of whether it's meritless or not. (The courts have ruled so far that data breach-related lawsuits can only proceed if people can prove a direct link between the breach and actual harm.)
Data breaches and breach notifications: stuff only big businesses have to be worried about, right? Apparently not, according to Vermont's Attorney General:"At this stage of the game, having seen widely reported data breaches at big retailers like Target and dozens of others, we will not accept the excuse that a business did not know of its obligations to report a breach."And to prove it, the AG has fined a Vermont business $3,000 in civil penalties.
The business that got the dubious honor of receiving the first fine for not sending notification letters (at least, that I know of) is Shelburne Country Store in Shelburne, Vermont. According to their website, the business was established in 1859 and offers the type of stuff you'd expect from an idyllic Vermont gift shop.Indeed, if the pictures on their site are anything to go by, it seems almost too idyllic, too stuck in the past. So much so, in fact, that I'd almost believe that they didn't know of the need to contact people affected by the breach, despite breaches at Target and dozens of others that made national news.(Also, I wouldn't be surprised that they were hacked and had customers' credit cards stolen. It feels a bit like I'm looking at the last days of Geocities).Regardless, they do have a website from which you can order merchandise. It was hacked in late 2013 and credit card details were stolen. Shelburne Country Store quickly fixed the problem, according to databreaches.net (and it appears that they may have revamped their website while they were doing so); however, they never contacted customers who were affected by the credit card data theft.
Vermont is one of the 47 states that passed a security breach notification law. Among the requirements, a breached entity must contact the state AG within 14 days of finding out about the data breach. Furthermore, affected clients must be reached out to no later than 45 days after finding out about the breach.I've often wondered what would happen if a business decided not to do contact people. I mean, how would the state AG or anyone else really know, unless they got the aid from a whistleblower? Especially if said business was tiny? And what exactly would happen if they were caught?I guess now we know.
TrueCrypt recently shut its doors and offered little explanation to its users. Was its software secure or subject to illegal activity? What were the implications of the company’s closure? Clients depend on reliable security to keep their information safe. However, many organizations think it’s cost-efficient to use open-source data encryption software. This could end up costing your customers — and your company — if the software becomes defunct. In this article, Tim Maliyil describes the five things you need to look for in a new data encryption program.
Think you’re up-to-date with the latest technology? If you’re not taking advantage of the cloud, then you may not be as in the loop as you think. While some are skeptical of Internet-based systems, the cloud isn’t as risky as one might think. Cloud technologies can be great resources for small businesses. From secure storage to sending files or emails, the cloud can boost efficiency. By evaluating the benefits and ensuring that your data is secure before and during its storage, you can focus your time and resources on productivity. In this article, Tim Maliyil describes the benefits of cloud technology and provides tips on how to keep your business’ data safe.