Shands HealthCare has notified approximately 12,500 patients and referrals that there was a information security breach when a laptop was stolen during a burglary. Hard drive encryption was not used to protect the contents of the stolen computer.
The theft took place on January 27, at the home an employee of Shands HealthCare. The employee had downloaded sensitive information to a company computer and taken it home for "work-related purposes." The breached patient data includes "names, addresses, physician name, medical record numbers and abbreviated medical procedure or condition codes. The laptop also contained the Social Security numbers of about 650 people."
The theft took place on January 27, at the home an employee of Shands HealthCare. The employee had downloaded sensitive information to a company computer and taken it home for "work-related purposes."
The breached patient data includes "names, addresses, physician name, medical record numbers and abbreviated medical procedure or condition codes. The laptop also contained the Social Security numbers of about 650 people."
I'm not a lawyer, but the last time I checked, patient data needs to be kept secure. One of the conditions I've often noticed is that sensitive data must be kept in a secure environment at all times. For example, files need to be kept in a locked file cabinet. Doors to data repositories must be kept locked (a closet full of patient charts, e.g.). Computer monitors must be facing away from hallways and windows, in case someone's able to read the screen over the shoulder of an authorized person. The list goes on and on (and on). If I'm not wrong, digital data need not be encrypted, but it is highly encouraged--unless, of course, the data happens to be in an unsecure environment; in that case, there is little alternative to the use of encryption software. Now, arguably, someone's home or car is a safe environment. I mean, they've got locks on doors as well. On the other hand, car and home burglaries are myriad, and not just because there's more of these than hospitals. Generally speaking, hospitals tend to be more secure environments, despite their "open" structure: besides patient data, they've got to ensure those vials of medical cocaine and other hard-hitting drugs are not accessed by some random guy. Security in hospitals has always been of paramount importance, and securing a vial of controlled substances is no different from securing a laptop. Your average home doesn't have such a setup. So...let's trace our steps, shall we? The employee downloads patient information to a work-issued computer for work-related purposes...and the machine is not protected with encryption? Sounds to me that Shands is in a lot of trouble.
I'm not a lawyer, but the last time I checked, patient data needs to be kept secure. One of the conditions I've often noticed is that sensitive data must be kept in a secure environment at all times.
For example, files need to be kept in a locked file cabinet. Doors to data repositories must be kept locked (a closet full of patient charts, e.g.). Computer monitors must be facing away from hallways and windows, in case someone's able to read the screen over the shoulder of an authorized person. The list goes on and on (and on).
If I'm not wrong, digital data need not be encrypted, but it is highly encouraged--unless, of course, the data happens to be in an unsecure environment; in that case, there is little alternative to the use of encryption software.
Now, arguably, someone's home or car is a safe environment. I mean, they've got locks on doors as well. On the other hand, car and home burglaries are myriad, and not just because there's more of these than hospitals. Generally speaking, hospitals tend to be more secure environments, despite their "open" structure: besides patient data, they've got to ensure those vials of medical cocaine and other hard-hitting drugs are not accessed by some random guy.
Security in hospitals has always been of paramount importance, and securing a vial of controlled substances is no different from securing a laptop. Your average home doesn't have such a setup.
So...let's trace our steps, shall we? The employee downloads patient information to a work-issued computer for work-related purposes...and the machine is not protected with encryption? Sounds to me that Shands is in a lot of trouble.
"Shands leaders have since launched a systemwide encryption initiative to better safeguard protected health information stored on Shands-owned computers, laptops and other portable communications devices as well as on employee-owned devices used to support Shands work." Well, I guess they're going in the right direction. One of the notable things in the above announcement is that the company is going as far as encrypting employee-owned devices. Which makes sense: once an employee is authorized to work out of home, that person may opt to use their home machines vs. their work machine, assuming they were issued one. Why? For starters, perhaps his home machine is a brand new one, and it feels "faster," meaning that work will also finish "faster." The only thing to remember is that encryption does not offer a panacea to all the data security risks out there. For example, I don't doubt that a Trojan that harvests SSNs exists out there in the wild. While whole disk encryption can prevent a lot of ills, it's ineffective against such threats, and a different security product is required.
"Shands leaders have since launched a systemwide encryption initiative to better safeguard protected health information stored on Shands-owned computers, laptops and other portable communications devices as well as on employee-owned devices used to support Shands work."
Well, I guess they're going in the right direction. One of the notable things in the above announcement is that the company is going as far as encrypting employee-owned devices.
Which makes sense: once an employee is authorized to work out of home, that person may opt to use their home machines vs. their work machine, assuming they were issued one. Why? For starters, perhaps his home machine is a brand new one, and it feels "faster," meaning that work will also finish "faster."
The only thing to remember is that encryption does not offer a panacea to all the data security risks out there. For example, I don't doubt that a Trojan that harvests SSNs exists out there in the wild. While whole disk encryption can prevent a lot of ills, it's ineffective against such threats, and a different security product is required.
Related Articles and Sites:http://shands.org/news/archive/NewsDetails.asp?ID=496