in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Disk Encryption Software: Henry Ford Announces Third Breach, Infectious Diseases Computer Stolen

Henry Ford Health System has announced a data breach.  On August 8, it was discovered that a computer from one of their laboratories.  It was not revealed whether drive encryption software like AlertBoot was used, although password-protection was present.

520 Patients Affected

The breach occurred sometime between August 5 and August 7 and was discovered on August 8.  A computer was stolen from the Infectious Diseases lab at Henry Ford's corporate offices.

Information on the computer included patient's names, physician's names, medical record numbers, and test results.  The required substitute notice also notes that the "information stored on the computer was between the time period of 2009 and August 2011."

Again, the presence of encryption software was not specified.  However, when you consider that Henry Ford went public with the information, it's doubtful that they did use it, for several reasons:

  • HIPAA / HITECH provides safe harbor from the Breach Notification Rule if encryption is used.
  • Under the same, breaches involving more than 500 patients must be made public, leading to wide-spread PR issues unless encryption is used.
  • They mention password-protection but not encryption.
  • This is Henry Ford's third data breach in a 12-month period.

In other words, Henry Ford has a very clear cut case for not making the breach public.  And, the use of encryption software would have given them the legal option to exercise such a right.  (It should also be noted that it's not just a legal loophole: encryption software really does provide effective data security).

Let us posit that Henry Ford wanted to notify patients despite using encryption.  I can understand that.  But why do so by airing one's dirty laundry in public, especially when its dirty laundry was aired twice already?  They could just reach the patients directly; certainly, there is nothing in HIPAA / HITECH that prevents them from doing that.

Third Breach

This is Henry Ford's third breach in less than twelve months.

In November of 2010, Henry Ford announced that 3,700 people were affected when a laptop computer was stolen from their offices.  In February of 2011, another 2,777 patients were affected when a USB memory disk went missing.

One would imagine that in the course of a nearly one year, Henry Ford would have succeeded in deploying encryption on all computers.  In fact, Henry Ford notes that they "protect our patient health information using a variety of security measures including but not limited to encryption, password authorization and digital signatures."

So, what happened here?  An oversight, where one computer was not encrypted?  Or perhaps, the computer that was stolen in this case was a desktop computer (most business seem intent on encrypting laptops and other "designed to be portable" devices.  Desktops get stolen, too, you know).

Regardless of how it happened, I think it's safe to say that Henry Ford really needs to look into this issue of data protection.  An organization can only take so many PR hits.


Related Articles and Sites:
http://www.henryford.com/body_hfh.cfm?id=56405

 
<Previous Next>

Is the ICO Targeting Government When Handing Out Monetary Penalties?

UK Laptop Encryption Software: Newcastle Youth Offending Team Loses Laptop

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.