in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Email Encryption: Geisinger Health System Has Data Breach (Updated 30 DEC 2010)

Even if you use full disk encryption like AlertBoot security software on your computers, there are ways for information to leak out.  One common way is via e-mails, as Geisinger Health System found out.

Update (30 DEC 2010): According to this link the doctor who caused the breach at Geisinger no longer works for the medical center.  It's not specified whether he resigned, got fired, etc.

3,000 Affected, Doctor Wanted to Work from Home

A gastroenterologist emailed to himself a file with medical information on nearly 3,000 patients.  Apparently, the doctor wanted to finish a medical analysis from home.  The breached information included patient names, medical record numbers, procedures, and physician impressions.  These are some of the most basic information that constitute PHI, protected health information, and requires safeguarding under HIPAA.

It did not include telephone numbers, addresses, SSNs, patient account information, and any other information that would lead to financial fraud.

The information was not protected with encryption software before being sent, which is why Geisigner had to notify the patients under the HITECH Act which amended HIPAA: if electronic PHI is lost or stolen, and it wasn't protected with encryption, full disclosure is to be made to the patients and to the HHS, which oversees and enforces the implementations under HITECH.

Why is Emailing a Problem?

It should be pointed out that the doctor's file arrived at its intended destination.  So, where is the breach?  I mean, the doctor could have easily copied the information to an encrypted external hard drive and used that on his home computer, which would have amounted to the same thing.  Email is just another way of transporting the data, right?

Right.  But, it's a data breach because of the way email works.  When an email is sent it bounces from server to server until it reaches its final destination.  Technically, any servers that bounced the message can look into the contents of that e-mail.  Plus, the ISP that the doctor uses would have a copy of the e-mail as well.

Seeing how many unauthorized people (technicians working at ISPs and whatnot) theoretically have access to this information, sending a file without encrypting it first is a bad idea.  And this is not an unsubstantiated fear.  For example, last month the world was stunned (and alarmed) to find that 15% of all internet traffic went through China for a full 18 minutes earlier this year.  It even caught the attention of the Pentagon.

Plus, there is also the improbable possibility that the ISP's machines have been compromised, so this medical file could be compromised as well without the power of encryption safeguarding it.


Related Articles and Sites:
http://www.phiprivacy.net/?p=5368
http://www.beckershospitalreview.com/healthcare-information-technology/health-information-of-3k-geisinger-patients-disclosed-in-unencrypted-email.html
https://webapps.geisinger.org/ghsnews/articles/Geisingerinformspatientsof8477.html

 
<Previous Next>

Hard Disk Encryption: Medical Data From Dean Health System And St. Mary's Hospital Not Protected

Data Encryption Software: UK Calderdale and Huddersfield Foundation Trust Announces Breach (Updated)

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.