When encryption is not enough for HIPAA

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govhealthit.com/news/when-encryption-not-free-pass-hipaa

General consensus about HIPAA has thus far been that if healthcare
organizations simply encrypt their data and devices then lost or stolen
smartphones or tablets are essentially protected.

But reality is not always so simple as a get-out-of-jail-free card.

A robbery reported by Boston's Brigham and Women's Hospital, in fact, is
shining a light on the complex web of healthcare providers’ HIPAA
responsibilities when an encrypted laptop or devices is stolen — and the
pass codes right along with it.

Hospital officials on Monday announced that an encrypted — not unencrypted
— cellphone and laptop containing patient medical data were stolen this
fall after a BWH physician was robbed at knifepoint and forced to disclose
the laptop's pass codes.

The two devices contained the names, medical record numbers, ages,
medications, clinical diagnoses and treatment data on 999 patients,
officials said. The specific set of patients were those who received
treatment at BWH's neurology and neurosurgery programs from October 2011 to
September 2014, in addition to a group of individuals who participated in
research studies.

The armed robbery, which took place Sept. 24, was reported to the Boston
Police Department, who then issued a community alert six days later.
According to the police department, the physician was robbed at knifepoint
and then bound to a tree. The stolen items have not yet been recovered.

"We apologize for any inconvenience and deeply regret any concern this
situation may cause our patients," said Cedric Priebe, MD, chief
information officer at BWH, in a Nov. 17 press statement. "We have no
knowledge that the information on these devices has been accessed, and we
are reviewing related policies and procedures in an effort to determine if
there are steps that may decrease the likelihood of this type of incident
in the future."

So does encryption cover an organization's HIPAA bases? Short answer: No.
Encryption, according to the Department of Health and Human Services' HIPAA
Security Rule, involves using "an algorithmic process to transform data
into a form in which there is a low probability of assigning meaning
without use of a confidential process or key ... and such confidential
process or key that might enable decryption has not been breached."

In what transpired at BWH, the key was indeed breached after the pass codes
were given. When asked how these cases are handled by the federal
government, the Office for Civil Rights, the HHS division responsible for
enforcing HIPAA, did not respond for comment by publication time.

As Beth Israel Deaconess Medical Center CIO John Halamka, MD,
toldHealthcare IT News earlier this summer, the words from staff that give
him the chills? "My laptop was stolen, but it had a password. That's the
same as encryption, right?"

This is the third HIPAA breach for BWH, according to data from HHS — and
the third theft.

Back in 2011, a BWH employee lost an unencrypted hard drive that contained
protected health information of 638 patients. A year later, the hospital
reported a second HIPAA breach after BWH officials reported that an
unencrypted desktop computer had been stolen. The computer contained the
PHI of 615 individuals.

To date, more than 41 million individuals have had their protected health
information compromised in reportable HIPAA privacy and security breaches.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!