in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Laptop Encryption Software: Cincinnati Children's Hospital Breach Affects 61,000 Records

A laptop computer was stolen from Cincinnati Children's Hospital Medical Center, resulting in the loss of 61,000 patient records.  The details surrounding the incident show that this is a clear violation of HIPAA.  If only they had used drive encryption software, they may have saved themselves a lot of money in terms of notification costs and potential fines.

Another Theft from a Car

According to cincinatti.com, the laptop was "stolen from a hospital employee's personal vehicle while it was parked outside the employee's home in late March."

Password-protection was used on the stolen laptop, but the information did not make use of laptop encryption, which would have provided a far greater degree of security.  Patient names, medical record numbers, and services provided were part of the personal information that was breached.  SSNs, credit card numbers, and phone numbers were not included.

Notification letters were sent out to several states and foreign countries.

It was noted that by the hospital spokesman that "it was appropriate for the employee to have the laptop outside the work setting."

I...disagree.  I think the employee was allowed to have the laptop outside the work setting.  I don't know that it was appropriate under the circumstances.

Also, I might be working with the quote out of context, but I do note that the spokesperson didn't say anything about the employee being authorized to take the data outside the work setting, although that's the implication.

This is Clearly a HIPAA Violation

There is no getting around it: this is a HIPAA violation, and the admission by the hospital's spokesman just confirms it.  Under HIPAA, protected health information (PHI) must be secured, preferably with encryption if one's dealing with digital data.

While there is no requirement to encrypt PHI--a covered entity, in this case the hospital, can forgo the security measure if it believes that PHI is safe enough--the covered entity must provide a reason as to why it believes PHI is safe without encryption.

Now, "it's inside a car" is not a legitimate reason/defense.  And, when you combine the fact that the employee was authorized to carry that laptop around, and by implication the PHI...well, you can't blame the employee for this particular breach.  It was up to the hospital to make sure that this device was protected.

It could very well be that someone in their IT department dropped the ball.  After all, the place does have over 10,000 employees and is the fourth largest company in Cincinnati by employee count (top three are Kroger, U of Cincicnnat, and P&G, respectively, if you're interested.  Walmart comes a distant seventh).

Assuming the computer count is half of the number of employees, we're talking about 5,000 computers.  I don't know what the Children's Hospital's position is when it comes to disk encryption, but assuming they had a policy of complete coverage for all endpoints, it would be easy to miss a laptop or two.

Or, it could even be a case where the user of the laptop disables the encryption in place because he or she feels "it slows things down."

Centrally Managed Encryption Could Have Helped

Yes, this is a plug for our AlertBoot encryption as a service, but the points I bring up are pretty salient:

One, encryption as a managed service means a centralized database for managing encryption keys (which is an important objective under HIPAA when it comes to encryption).  This means easy key management, which means the hospital's IT department would have had an easier time with their encryption deployment.

Two, easy audits: the built-in encryption audit report, which generates the report in real-time, shows which machines are encrypted, which ones had a problem with encryption, and which ones haven't even been touched by the encryption initiative at all.  If the stolen laptop above was one of those that fell through the cracks, the IT department would have been able to tell and resolve the issue.

Three, proving compliance:  A recent survey from the Ponemon Institute showed that only 44% of companies would have been able to prove that they had secured their data.  Seeing how HHS has gained the power to fine covered entities up to $1.5 million for data breach incidents, the ability to prove compliance--using the same audit reports mentioned above--is not a small matter.

Four, notifying patients.  Under HITECH-amended HIPAA, a covered entity is required to send breach notification letters to patients.  Seeing how over $150 is spent per record when it comes to patient notification and other follow up measures (setting up toll-free lines for answering patient questions, etc.), Cincinnati Children's Hospital is looking to at least a potential $9 million outlay.  The only way to avoid it all would have been by encrypting their PHI.

And that's even before the HHS starts looking into the issue and assessing any fines, if any.

Related Articles and Sites:
http://news.cincinnati.com/includes/interstitial/ad.html
http://www.phiprivacy.net/?p=2824

 
<Previous Next>

Disk Encryption: Towers Watson Information Breach The Next Colt Express?

Disk Encryption Software: Loma Linda Hospital Reports Computer Theft

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.