When it comes to data breaches and the legislation governing them, you can divide the laws into two different camps: the ones where a monetary penalty is assessable and the ones where it isn't. The use of data security software like AlertBoot managed disk encryption for laptops can provide safe harbor from such fines, which many view as a positive exemption to a well-designed legal policy – that is, it encourages a good data security practice. However, there are many who wonder whether the use of financial incentives is the correct approach to stemming the growing tide of data breaches.Wouldn't it be better if the money is used for IT upgrades, employee education programs, hiring outside experts, etc. – as opposed to filling the coffers of government agencies?An outside survey commissioned by the Information Commissioner's Office (ICO) in the UK seems to suggest that the answer is "no." There is nothing that attracts more attention to the issue or prods people to clean up their act than the transfer of dollars (or Pounds sterling, as it were).
The survey, commissioned by the ICO and carried out by SPA Future Thinking, involved a total of 99 organizations: 14 that received a Civil Monetary Penalty (CMP) notice and 85 online survey takers who decided to participate.The ensuing report is quite long (60 pages) but organized in the way of a PowerPoint presentation, so reading it is less arduous than you may believe.Ultimately, this is the point and conclusion of the report: the CMPs work as designed. It spurs affected organizations to increase awareness of the importance (and duty) they have when it comes to protecting personal data, up and down the entire organizational hierarchy. Furthermore, other organizations in the same or similar sectors are also provoked to upgrade their security, because of fears that they, too, could be on the wrong end of an ICO monetary penalty notice. (Apparently, it's not uncommon knowledge that anyone can be the victim of a data breach.)One of the most notable results of a CMP is that there is more "buy-in" for data protection from senior management after the fine. (And the breach itself, it is argued by some. But, honestly, the latter requires a comparison with companies that had a data breach but weren't issued a CMP, which were not part of the survey).There are also claims that the reputational hit that an organization took had more of an impact on effecting changes than the financial penalty. This is contradicted, however, by overwhelming admissions that the reputational hit was either short-lived or nearly non-existent. In addition, I note that nobody – absolutely nobody – appears to have complained about their reputation being sullied but a significant majority had some choice words about the fines.Overall, the report is a pretty interesting read but nothing about it appears to be earth-shattering.
This report is the only one of its kind, as far as I know: Reports that try to show the effects of HIPAA fines, FINRA fines, state fines / settlements (e.g., Massachusetts's AG has extracted "financial concessions" on a number of companies), and other penalties similar to the ICO's CMP are non-existent. However, I feel that if any reports I missed were to come to my attention, they'd show the same conclusion.At AlertBoot, we've personally found that HIPAA's Final Omnibus Rule appears to have had a significant impact on covered entities and business associates. We've seen a growing adoption of full disk encryption as well as increases in inquiries beginning around this time last year, which represents approximately 60 days prior to the Final rule taking effect. It is still strong, although we've seen a boost due to TrueCyrpt's recent troubles.With such results, it's hard to argue against monetary penalties. When stern warnings and carrots don't work, it's time to start carrying a large stick and speaking softly.
Do you like to gamble? If you’re hitting the local casino for a fun night out, more power to you. But if you’re gambling with your clients’ information, you’re bound to lose. Many people think breaches and security issues only affect giants like Target. The truth is that your business could be just as vulnerable if you don’t take the necessary precautions. Whether your company consists of five employees or 5,000, security should be built in from the start. In this article, Tim Maliyil explains why small businesses need to ensure their data is protected and the steps they can take to secure it.
Women & Infants Hospital of Rhode Island has settled with the Massachusetts Attorney General's office over a 2012 data breach that ended up affecting more than 12,000 people in Massachusetts. The hospital has agreed to pay $150,000 – $110,000 in civil penalties, $25,000 for attorney's fees, and $15,000 to a fund – and agreed to prevent future data breaches, according to narragansett.patch.com. This is the type of risk a HIPAA covered entity is setting themselves up for if they do not use HIPAA compatible encryption to protect their PHI.
In April 2012, Women & Infants Hospital came to the unmistakable conclusion that they were missing backup tapes used to store names, SSNs, ultrasound images, and other data classified as protected health information (PHI) under HIPAA. The tapes were meant to be sent off-site and then transferred to a "new picture archiving and communications system." Instead, these went missing.In addition, the hospital discovered the breach in April 2012 but didn't notify the Massachusetts AG's office until the fall of 2012. Because HIPAA requires notification no later than 60 calendar days since the discovery of the breach, Women & Infants Hospital ended up breaking another HIPAA rule.
It is commonly known that the use of encryption software provides safe harbor from HIPAA requirements like the above, protects PHI, and counts towards state and other federal data protection requirements.And yet, many covered entities are still delaying the deployment of data protection tools or looking for excuses not to deploy them at all. Reasons are myriad, ranging from cost to complexity in implementing them.However, it's becoming clear as time goes by that the costs of not encrypting PHI could be much higher – although delayed to a later date – and that there is more complexity involved when encryption is not employed (inventorying hardware may be simpler than encrypting them, but it's certainly not easier).
Another incident that shows the importance of using HIPAA encryption software on desktop computers. In addition, it shows why full disk encryption is preferential to file encryption.
Bay Area Pain Medical Associates, according to phiprivacy.net, has contacted patients that three desktop computers with patient data were stolen in May of this year. Because HIPAA/HITECH provides safe harbor from the Breach Notification Rule for any PHI (protected health information) that is guarded with encryption software, one can assume that the information was not properly protected.The assumption in this case would be partially wrong.According to the notification letter Bay Area Pain Medical Associates is sending out, "all medical records were encrypted and inaccessible, [however] we believe one Excel spreadsheet containing approximately 2,780 patient names" was not.What we can tell from this admission is that full disk encryption was not used, as this particular encryption technology protects a computer's entire hard drive (the hardware where data is stored for the long term). Chances are, file encryption was used to protected individual files (or possibly, folder encryption, where a select folder or folders are encrypted, along with anything that is placed inside of it).
Does this mean that disk encryption is superior to file encryption or folder encryption?Not quite.They have different uses. If you're looking to protect your files from being stolen wholesale (i.e., a stolen computer triggers a HIPAA breach), then disk encryption is a no-brainer. However, disk encryption cannot protect a person from instigating other types of HIPAA breaches. For example, if a file has to be sent via email, disk encryption cannot help – the correct tool would be to use file encryption.Just like a chef has a number of different knifes that essentially do the same thing (cut stuff), there are different encryption tools that are made for a particular purpose. The correct approach to data security is to use these as needed.
Penn Medicine Rittenhouse has contacted approximately 600 people, alerting them of a data breach. It's one of those instances where advanced IT couldn't have really helped (paper documents were stolen), but it does lend to the following question: are we to really believe that laptop thefts from medical establishments are for the hardware and not the patient data contained within?
Someone broke into Penn Medicine Rittenhouse's premises last month and stole receipts that contained information on patients. Thankfully, the information found on these receipts were truncated (and, especially important, sensitive information wasn't on them at all). According to philly.com:"The receipts did not include social security numbers, diagnoses, insurance numbers or full credit card numbers. They did show varying information, including combinations of patient name, date of birth and the last four digits of credit card numbers."Of course, names and dates of birth can be used to perpetrate fraud as well; however, a bit more effort is required to do so, and chances are only that holding basic information will lead criminals to consider seeking other victims whose sensitive information is easily accessible. Possibly, this is what the particular thief that burgled Penn Medicine Rittenhouse decided as well. Hence the discarded receipts on hospital grounds: once he saw that easily monetized information (such as SSNs) was missing, he just dumped the whole batch.
"The receipts did not include social security numbers, diagnoses, insurance numbers or full credit card numbers. They did show varying information, including combinations of patient name, date of birth and the last four digits of credit card numbers."
Perhaps it's not surprising that such data breaches, where paper documents are stolen, are increasing. After all, we're living in the Information Age, and turning data into cash – regardless of what form that data takes – has been a viable business for a while. (Perhaps, a reason that should be factored in its growth is that securing paper documents remains in the information Dark Ages – we still use the same technology we used in the 50's and earlier – whereas digital data is becoming easier to secure at a fraction of the complexity and price. Also, a lot more focus is spent of protecting digital data, meaning physical data is falling to the wayside).Consider, too, that so-called "insider attacks," where people who are routinely given access to sensitive data as part of their employment, are also growing as data breach vectors.Which makes me wonder: what percentage of laptops, and other computer hardware that store information, are stolen for the information stored in them? When you read of HIPAA data breaches revolving around stolen hardware, the breach notification letter always states something along the lines of "we believe that the theft was motivated by the hardware." That is, the thieves were looking to make a quick buck by reselling the laptop ASAP.Now, this makes sense if the laptop was stolen from an unmarked car. But what if it was stolen from a clinic or general hospital or other medical facility? Or an ambulance? Or the house of a person who is well-known in the neighborhood for being a neurosurgeon? Are we really to believe that obtaining patient information is to be factored as a zero behind the theft's motivation? And so the risk of a patient's data being used for fraud is also very low?In an era where more and more PHI data breaches are being directly attributed to the theft of patient data, and not as an indirect consequence of an alternate criminal intent, believing that the theft of a laptop was for the hardware is an untenable position.Thankfully, updated HIPAA regulations make such beliefs a moot point: under the final rules, HIPAA covered entities are instructed to assume that the loss of a laptop is tantamount to a PHI data breach, unless it can be proved that the risk is provably low. (For example, because laptop encryption was used to secure the endpoint device).
Orangeburg-Calhoun Technical College, known as OCtech, has issued a press release alerting students and faculty that a laptop was stolen from the school's premises. They make it a point to note that sensitive data on the laptop was stored in a not so "easily recognizable format"; however, it is questionable whether that refers to something akin to managed laptop encryption from AlertBoot.While encryption software turns information into a format that is not easily recognizable, it's also true that, technically, information that is stored as plaintext (i.e., easily readable by a person) is also stored in a similar manner. After all, how many of us can read a string of ones and zeroes?So, is this not "easily recognizable format" a reference to encryption or not? I'm guessing not.
In many ways, OCtech can be excused over the data breach. After all, it's not as if the laptop was stolen from an employee's car that was left unlocked, or because somebody mistakenly uploaded the information to an unsecured server. It was a victim to an everyday crime that has been proven to be impossible to uproot since time immemorial.On the other hand, this one laptop did end up affecting about 20,000 former and current students and faculty members, according to databreaches.net. To make it worse, it turns out that the data was sensitive in nature: among other things, SSNs were stored. Granted, some researchers have found that the price of an individual's SSN is priced lower than a cup of latte, but its value is much higher, just like the price of a commodity (copper, beef, SSN) is lower than a value-added product (telecommunications cable, steak at a frou-frou foodie locale du jour, IDs that make use of a real SSN).And what was protecting this valuable information? Password-protection. The so-called "protection" that can be easily compromised via a Linux Distro CD, a Windows recovery CD, slaving the hard drive to another working computer, buying a software program (or service) that can brute force the password, etc. – in other words, not really protection at all.
Unlike password-protection, encryption makes it a point to conceal information. Not only does it make it so "data is not stored in an easily recognizable format," it converts is so that it is hard to recognize. The difference is night and day.It's the reason why most data breach notification laws give a free pass for information that is lost or stolen. It's the reason why certain countries have laws that give the state to incarcerate people who won't give up their encryption passwords. It's the reason why until a decade or so ago, encryption was classified as a weapon that could be banned from being exported (and in some countries, imported).Had OCtech used encryption, they would have gotten a free pass under South Carolina law. Indeed, it's this one fact alone (combined with the fact that they didn't outright mention encryption) that I conclude that the stolen password was not encrypted.Instead of being given a free pass, now they have notify 20,000 people which is costly in of itself – yes, a lot of postage, but there will also be other expenditures. OCTech willl probably also have to spend time and money in supporting any investigations by the state's Attorney General. There's also a pretty good chance that they'll have to defend themselves against a lawsuit – with 20,000 people affected, you can bet someone's going to launch legal action against OCtech, regardless of whether it's meritless or not. (The courts have ruled so far that data breach-related lawsuits can only proceed if people can prove a direct link between the breach and actual harm.)