Fort Worth Allergy and Asthma Associates spent $15,000 to contact patients after a June burglary involving office computers. Had they used disk encryption, this expense would have been unnecessary. The cost seems to include something in addition to actual postage.
Office Door, Password Protection was only Security
The breach was discovered when employees for the clinic found that the door to the clinic had been kicked in and four computers were missing. The computers contained patients’ personal information, including SSNs, addresses, and dates of birth–and, while unmentioned, most probably patients’ names.
Password-protection was used to secure the information. However, as I’ve already noted repeatedly in this blog, password-protection, unlike encryption software, offers more in terms of psychological reassurance than actual security.
Which is why HIPAA regulations offer safe harbor if encryption is used to secure patient data, but requires that patients be contacted if it’s not used (including instances where password protection was used to “secure” the data).
I notice that the breach does not show up at the HHS’s site for breached involving 500 or more patients, although the breach involved 25,000 people.
Cost of Mailing Exceeds Replacement Costs
$15,000 was used to contact the 25,000 patients. If you do the calculations, it comes out to $0.60 per person. With first-class postage at $0.44, it looks like something more than postage was involved in the costs. Assuming that the actual postage was $0.44 per letter (which translates to $11,000), it means that an extra $4,000 was used on something else.
Turns out that the clinic outsourced the task of addressing all the letters. While $4,000 sounds like a steep price to pay for essentially uploading a database to a server and then having addresses printed to individual envelopes, that’s the price you pay for having to finish a task quickly.
Dr. Robert Rogers at the clinic noted that “the cost of doing the mailing is more than [the] cost of replacing the equipment.” Well, that’s the power of Moore’s Law, although that’s neither here nor there.
Updating Security – Using the Cloud
Like I noted at the beginning, the clinic should have used encryption to ensure that it had proper data security. Did the clinic do so afterwards; lessons learned all that jazz?
Not quite. The clinic decided to store all patient information at an off-site location, only accessing the information via an encrypted VPN. In other words, they decided to go with a cloud solution.
This is a smart move and yet there is room for concern. Using the cloud means the clinic is protected in the event a similar break-in happens in the future. On the other hand, a breach at the data host could affect the clinic (it’s been known to happen, such as this one in Chicago).
If you are going with a cloud-based solution, I’d recommend that you do at least the following:
If possible, check out the facilities personally, paying attention to the physical location (i.e., neighborhood). Remember, a picture may be worth a thousand words, but both can be manipulated.
Find out what kind of physical security they have in place. To me, a solid door is much more impressive than biometric or electronic card access schemes (consider the kicked-in door above).
See if servers are encrypted. If someone manages to pull the Chicago-stunt I covered above, encryption will be your last line of defense (but then again, it always is).
Of course, using the cloud doesn’t necessarily mean you’ve got to store your data “out there” in cyberspace. For example, you could use the cloud and still retain control of your data. A service such as AlertBoot uses the cloud for managing encryption for your laptops.
So, you combine an easier way of installing and administer encryption on your computers without having to wonder “who else but me has access to my data?” With AlertBoot, the answer is: no one but you.
Related Articles and Sites: