in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA PHI Encryption vs. Safes: Kmart Burglary Breaches Pharmacy Data

One of the puzzling aspects of HIPAA Security Rules is that the use of HIPAA data encryption is not a requirement.  Rather, it's classified as an "addressable" issue.  This means that PHI encryption is "optional" in the sense that you can opt to use something else that's as good as encryption.

In other words, you've still got to protect the PHI at a level that compares to (or is stronger than) AES 128 encryption.  But, in a world where you already have encryption, why would you opt for something like encryption?  Especially when that alternate protection does not afford you safe harbor from the HIPAA/HITECH Breach Notification Rule?

For example, let's say that you opt to lock up an external hard drive in safe instead of encrypting it, which could be a perfectly good way of complying with the Security Rule (I write "could" and not "would" because I don't know whether this is true.  I am unaware of HHS/OCR giving its official imprimatur on the practice).

What could go wrong, right?

Kmart Burglarized, Has Data Breach

According to lehighvalleylive.com, a Kmart in Wind Gap, Pennsylvania experienced an unusual type of data breach on January 4.  A man robbed the retailer at gunpoint and,
...left with more than cash.
A bag stolen from a safe contained money and electronic media that backed up the store pharmacy's computer system, the retailer said today.
The media contained confidential information related to customer prescriptions: names, addresses, dates of birth, prescription numbers, insurance cardholder IDs and drug names.
A relatively small number of those prescriptions may have included customers' Social Security and/or driver's license numbers
Kmart has already contacted affected clients about the data breach.  Now, had the backup "electronic media" been protected with HIPAA-compliant encryption, the company wouldn't have had to do that.

Nor would they face the possibility of getting sued over the data breach (which Kmart will probably be able to get summarily dismissed in the courts, if rulings over the past five years are indicative of anything).

Nor would they have to submit themselves to a HHS/OCR investigation into the incident.

PHI Encryption: The Carrot and the Stick

It's commonly noted that HIPAA covered entities should seriously consider the use of encryption.  The problem with this attitude is that it doesn't really mesh with the spirit of HIPAA.  When it comes to ePHI data security, encryption software should be the default and not the fallback option.  It's when looking to secure ePHI in some other way that one should seriously consider the ramifications.
Related Articles and Sites:
http://www.phiprivacy.net/pa-wind-gap-kmart-reports-prescription-data-breach-following-armed-robbery/
http://www.lehighvalleylive.com/slate-belt/index.ssf/2014/02/wind_gap_kmart_reports_prescri.html

 

 
<Previous Next>

Laptop Encryption: Midland ISD Computer Theft Affects 14,000, No Computer Security Policy

UK FDE: ICO Releases 2013 Data Breach Stats

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.