Device Encryption Is Optional Under HIPAA – Until Something Gets Stolen.

It is a glorious evening in Boston, and I see here in the news that McKesson, a pharmaceuticals distributor in the United States, had two computers stolen on July 18.  The computers had confidential patient data in them.


While this was reported earlier this morning on Fox news, it looks like it is hitting the mainstream media just now.  McKesson is not releasing a lot of information, since they still have an investigation underway.  However, the Associated Press reports that spokesman James Larkin has stated that the company is “not at risk of having violated the terms of a complex US law known as the Health Insurance Portability and Accountability Act, or HIPAA.”


Based on the above statement, some people have commented that it sounds as if the stolen devices might have been encrypted prior to the theft, despite the fact that Larkin declined to confirm it.  That could be the case.  However, in the HIPPA, encryption is an optional safeguard.  As long as there are other safeguards in place, there is no requirement to encrypt the data.  This is surprising, since HIPAA security measures seem to govern a wide scope of instances where patient data might be revealed to unauthorized people, even those instances one doesn’t think of as a security breach.  This includes whether computer screens are oriented correctly so that passers-by cannot gain unauthorized access to patient data by glancing at the screen.


Since encryption of the devices is not technically a requirement under HIPPA, I would opine that the lack of confirmation by Mr. Larkin is a signal that the company took the less intensive route.  Only time can tell.


The patients who potentially could have been affected by this incident were already notified.  Indeed, this is how the rest of the world found out about it.  The magazine Information Week was able to report about it by quoting parts of the letter that McKesson sent to one patient.


So, why did McKesson have this confidential patient data?  After all, it’s a distributor as opposed to, say, an HMO.  Turns out McKesson was helping another company in the administration of supplying medication to low-income patients.  McKesson declined to identify the company in question.  The world will probably find out anyway.  Despite the fact that the data breach happened under McKesson’s oversight, there are regulations in certain states that the companies with a direct relationship with the people affected are liable for the security breach.


With so many high-profile security breach incidents over the past couple of years, one wonders why aren’t companies doing more to make sure that their devices are protected.  After all, theft is not something new.  People steal from their offices all the time.  Granted, usually we’re talking about pens and paper clips.  I’ve heard of instances where phones were stolen.  But the thing is, as long as something is not bolted down to the office floor, there is always a possibility of it being stolen. And let’s remember, laws were passed as a direct result of security breaches and data theft.  For goodness sake, is the world trying to tell me that sometimes the government acts faster than the corporate world?


Perhaps these companies are procrastinating in implementing security policies because of the cost.  Others might be leery about the implementation of such security measures.  After all, encrypting one device is simple.  Encrypting all the devices in a corporation is a different story.  Plus, ensuring that only certain people can access select devices could be a logistical nightmare.  But it need not be. 


Solutions offered by AlertBoot can easily be implemented in record time.  And compared to the ramifications of a security breach, AlertBoot is a cost effective solution:  McKesson ended up creating a hotline for disaffected patients (that’s beaucoup money) and a year of free credit reporting.  If history is any indication, it might be bumped up to multiple years.  Either way, with thousands of people affected, it’s not going to be cheap.  Will there be any federal and civil lawsuits? 


I’m sure that this story will continue to evolve.

Comments (0)

Let us know what you think