BreachExchange mailing list archives
When encryption is not enough for HIPAA
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 19 Nov 2014 17:32:45 -0700
http://www.govhealthit.com/news/when-encryption-not-free-pass-hipaa General consensus about HIPAA has thus far been that if healthcare organizations simply encrypt their data and devices then lost or stolen smartphones or tablets are essentially protected. But reality is not always so simple as a get-out-of-jail-free card. A robbery reported by Boston's Brigham and Women's Hospital, in fact, is shining a light on the complex web of healthcare providers’ HIPAA responsibilities when an encrypted laptop or devices is stolen — and the pass codes right along with it. Hospital officials on Monday announced that an encrypted — not unencrypted — cellphone and laptop containing patient medical data were stolen this fall after a BWH physician was robbed at knifepoint and forced to disclose the laptop's pass codes. The two devices contained the names, medical record numbers, ages, medications, clinical diagnoses and treatment data on 999 patients, officials said. The specific set of patients were those who received treatment at BWH's neurology and neurosurgery programs from October 2011 to September 2014, in addition to a group of individuals who participated in research studies. The armed robbery, which took place Sept. 24, was reported to the Boston Police Department, who then issued a community alert six days later. According to the police department, the physician was robbed at knifepoint and then bound to a tree. The stolen items have not yet been recovered. "We apologize for any inconvenience and deeply regret any concern this situation may cause our patients," said Cedric Priebe, MD, chief information officer at BWH, in a Nov. 17 press statement. "We have no knowledge that the information on these devices has been accessed, and we are reviewing related policies and procedures in an effort to determine if there are steps that may decrease the likelihood of this type of incident in the future." So does encryption cover an organization's HIPAA bases? Short answer: No. Encryption, according to the Department of Health and Human Services' HIPAA Security Rule, involves using "an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key ... and such confidential process or key that might enable decryption has not been breached." In what transpired at BWH, the key was indeed breached after the pass codes were given. When asked how these cases are handled by the federal government, the Office for Civil Rights, the HHS division responsible for enforcing HIPAA, did not respond for comment by publication time. As Beth Israel Deaconess Medical Center CIO John Halamka, MD, toldHealthcare IT News earlier this summer, the words from staff that give him the chills? "My laptop was stolen, but it had a password. That's the same as encryption, right?" This is the third HIPAA breach for BWH, according to data from HHS — and the third theft. Back in 2011, a BWH employee lost an unencrypted hard drive that contained protected health information of 638 patients. A year later, the hospital reported a second HIPAA breach after BWH officials reported that an unencrypted desktop computer had been stolen. The computer contained the PHI of 615 individuals. To date, more than 41 million individuals have had their protected health information compromised in reportable HIPAA privacy and security breaches.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- When encryption is not enough for HIPAA Audrey McNeil (Nov 26)