in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA Disk Encryption: Why Would You Authorize Employees To Work From Home Without Encrypting Patient Data?

According to wreg.com, patients at the Boston Baskin Cancer Foundation recently learned they were potential victims of a data breach.  This is one of those cases where one is left wondering if administrators thought things through: HIPAA encryption software was not used on a data storage device that comprised six years worth of patient data; however, the employee at the center of this data breach was authorized to take the data home.

Home Burglary

BBCF's incident description is as follows:
When the home of an employee was burglarized and an external hard-drive containing patient and employee data was stolen, in addition to many of the employee’s own personal electronics. The employee was properly authorized to work on the data at home as part of his job. However, the hard-drive was not encrypted.
On the one hand, it's great that they plainly describe what happened.  So many companies engage in verbal jujitsu when it comes to notifications, possibly as a means to confound people who would like to know what is going on exactly.  BBCF should be praised for their forthright demeanor.

On the other hand, one should be incensed!  What kind of HIPAA covered entity goes around authorizing take-home projects while not providing adequate data security?  We here at AlertBoot come across clients who feverishly need to deploy web-based encryption software on their laptop computers.  However, they demure when asked if they want to do the same for their desktop computers.   The idea is that desktop computers are not prone to be a breach because no one in their right mind would go about with one.  This train of thought indicates that most of our clients are afraid of thefts or losses occurring outside the workplace.

Apparently, BBCF didn't think PHI (protected health information) outside the clinic's physical security perimeter could pose a problem.

Wayward Employee Behavior

Or, perhaps they did.   The breach notification does not mention is whether the employee fully followed the organization's computer usage policy.   For example, the employee was given approval to take home of sensitive data on the condition that it be encrypted.  The employee promises to do so but doesn't.  Such a scenario wouldn't be out of the question in the modern office.

Indeed, certain surveys hold the so-called "internal attack" (that is, a data breach caused by non-outsiders, regardless of whether it was accidental or otherwise) as being one of the top three reasons for a data breach.

Related Articles and Sites:
http://www.databreaches.net/tn-boston-baskin-cancer-foundation-patients-and-employees-notified-of-stolen-hard-drive/

http://wreg.com/2015/02/03/cancer-patients-personal-information-stolen-from-local-clinic/
 
<Previous Next>

HIPAA Laptop Encryption: Riverside County Regional Medical Center Loses Laptop

HIPAA Encryption: Anthem Didn't Encrypt Data Stolen In Massive Hack

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.