in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Drive Encryption Software: Henry Ford Has Second Data Breach, Loses USB Key

Henry Ford Health Systems has alerted the general public that they suffered a data breach, their second incident in three months.  It looks like they have another HIPAA violation on their hands, this time a consequence of not using drive encryption like AlertBoot on a USB memory stick.

Employee Loses Flashdrive with Medical Data

The breach occurred on January 31, when a USB flash drive with information on 2,777 patients was lost by an employee.  The device has not been found.  Furthermore, it is not known to date how the device was lost.

What is known is that there were files with names, medical record numbers, test information, and results for urinary tract infections.  As data breaches go, this one appears to be an embarrassing one for patients as opposed to being a financially calamitous one.

Also, it only affects patients who visited Henry Ford between July and October 2010.

Still, one cannot deny that the lost information is classified as protected health information (PHI) under HIPAA, and will require Henry Ford Health System to notify the affected patients and the HHS as well.

Henry Ford had Breach, Knew What They Had to Do

It was in November 2010, barely three months ago, that a laptop was stolen from Henry Ford.  Oddly enough, that device, too, had information that affected urology patients.  In a serious case of déjà vu, the medical facility noted that SSNs and other financial information was not included -- just medical information, such as treatments and the like, as in the more recent case -- and that laptop encryption was not used, which was required per the facility's policies.

At the time, they had declined to reveal how many people were affected, which was eventually made public by the HHS.  I guess the persons managing the breach must have noticed that, too, since this time they're much more open.

According to a couple of sources, there is a zero-tolerance policy on unsecured patient information at Henry Ford, and employees will either face a suspension or termination.

Can't Blame Henry Ford for This One, In My Opinion

It was easy to blame Henry Ford in the previous data breach: a laptop was stolen, which is pretty easy to encrypt, and more importantly, to keep track of.  Plus, they kind of "aided" in the robbery because the office was left unlocked (self-locking doors anyone?).  Ten seconds is all it takes for a guy to step in, grab a laptop, stuff it under his shirt, and leave.

This latest one?  I'm willing to point my finger to the employee (unless, of course, nothing was done to educate employees about data security).  First of all, I'm sure the news of the breach would have been fresh on everyone's minds, so saving all that info to the USB stick was a poor move.

Second, there's a good chance that this lost USB stick is not hospital property, but someone's personal storage device.  As I noted yesterday, we're in an age where computer storage devices are placed as impulse-buy tsotchkes at the grocery check-out line.  How's the hospital responsible for the encryption of a personal device?  It cannot be, especially if it went ahead and educated the employee about patient data security.

(Granted, they could have been a little more proactive with a security measure like AlertBoot, where plugging in a USB storage device to an encrypted computer will also automatically encrypt the USB device....this way, personal device or not, it's getting protected.)


Related Articles and Sites:
http://www.detnews.com/article/20110224/BIZ/102240471/1361/Henry-Ford-tightens-security-after-patient-data-lost
http://www.freep.com/article/20110224/BUSINESS06/110224061/0/SPORTS03/Henry-Ford-Health-System-employee-loses-flash-drive-containing-patient-information?odyssey=nav|head

 
<Previous Next>

Data Security: Why Credit Card Data Needs To Be Encrypted On Your Computers

Laptop Encryption Software: A Key Tool In HIPAA/HITECH

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.