in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA Laptop Encryption: Riverside County Regional Medical Center Loses Laptop

Riverside County Regional Medical Center, in California, has reported the loss of another laptop computer from hospital grounds.  It is the second such incident for 2014 – the first occurring in June and the latest one in December – and yet another episode that could have been prevented with the use of HIPAA-compliant security tools like AlertBoot's web-managed disk encryption software.

Nearly 8,000 Affected

According to abc7.com, the computer was reported missing on December 1st, 2014.  The laptop computer affected nearly 8,000 people who had visited the ophthalmology and dermatology departments between January 2012 and November 2014.

It included personal information such as names, addresses, SSNs, dates of birth, diagnoses, and health plan numbers.

Laptops Now Being Encrypted

In addition to the above, a hospital representative noted that "there is no reason to believe the laptop's patient-related files were accessed or used in any way" and that "all laptops are now being encrypted to safeguard patient data."

That last statement is a bit nebulous: are laptops now being provisioned with encryption software as a consequence of the latest data breach? (The time elapsed between the breach's report and the date of the article is approximately two months.)

Or, is it a continuing effort based on the breach that occurred earlier in 2014?  If the latter, then Riverside can be perhaps excused for the latest incident.  The deployment of encryption solutions across a large swathe of devices is an arduous effort.  Planning, setting requirements, piloting solutions, more planning, finalizing the procurement process, and then actually diving into the technical deployment itself can take many months.

On the other hand, if Riverside is reacting to the December breach, it provides a reason for less leniency when it comes to public opinion: why did they wait for a second data breach to conclude that they needed laptop encryption?  Did they think that the first data breach was an accident?

Ignoring Encryption in California Not a Good Idea

If you are a HIPAA covered entity, it's a bad idea to not encrypt laptops and other digital data storage devices (assuming it's not possible to do so technically, which in turn happens to be a virtual impossibility in this day and age.  Data security concerns are so high that devices now come pre-encrypted).  This is because HIPAA/HITECH provides a way out from reporting data breaches if the lost data happens to be encrypted.

Not using encryption, however, is a doubly senseless attitude if you happen to be in California, which is arguably the state with the most stringent data security and data breach laws.  Again, the use of encryption provides safe harbor.

Under the circumstances, the use of encryption on laptops is a no-brainer: you know there's a security problem (the first laptop theft proved that), and you know that, short of locking down the hospital, the odds of another similar incident occurring is anything but 0%.  The only logical move is to encrypt, especially when the law is incentivizing you to do so.

Related Articles and Sites:
http://www.phiprivacy.net/missing-riverside-county-regional-medical-center-laptop-may-have-held-data-on-7900-patients/
http://abc7.com/news/missing-hospital-laptop-contained-data-of-7900-patients/496800/
 
<Previous Next>

HIPAA Breach Notification: About 30 Days Left To Notify HHS/OCR On Breaches Affecting Less Than 500

HIPAA Disk Encryption: Why Would You Authorize Employees To Work From Home Without Encrypting Patient Data?

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.