The Delaware branch of Nemours Foundation, which operates the Alfred I. DuPont Hospital for Children among other establishments, has announced the loss of three backup tapes with information on 1.6 million patients. The tapes were not protected with tape encryption software, the same technology that powers AlertBoot’s own disk encryption suite.
The loss of the tapes, which I’m assuming to be a HIPAA breach, will be third largest since the Breach Notification Rule came into effect in September 2009.
Locked Cabinet Missing
According to Nemours’s press release:
The information on the tapes dates principally between 1994 and 2004 and relates to approximately 1.6 million patients and their guarantors, vendors, and employees at Nemours facilities in Delaware, Pennsylvania, New Jersey and Florida. The missing backup tapes contained information such as name, address, date of birth, Social Security number, insurance information, medical treatment information, and direct deposit bank account information.
Encryption software was not used to protect the contents of these tapes, which, as you can see above, contained data that covered ten years. One might wonder, what were they thinking? The answer, as it turns out, is not “they weren’t.” Rather, they were, for the lack of a better way of saying it, practicing security as defined under HIPAA before the HITECH Act.*
It turns out, the tapes were protected. They were stored in a locked cabinet The cabinet (and the tapes) were reported as missing on September 8, 2011. It is believed that the cabinet was removed during a remodeling project in August.
The use of physical processes to secure data is still allowed (nay, encouraged) under HIPAA. However, the HITECH amendments to it have raised the bar to use extra protection. Experts agree this “extra” is encryption: it’s the only way to get some wiggle room from the Breach Notification Rule. This rule states that people whose protected health information (PHI) were breached need to be notified of this fact, among other requirements, such as alerting the HHS immediately of a breach if it affects more than 500 PHI records.
Based on the HHS’s “wall of shame”, it looks like the above will be the third largest breach since the Department of Health and Human Services began to track PHI breaches in September 2009.
* Which makes sense. Seeing how the records only go up to 2004, the security practices would reflect the rules governing patient data protection in or before 2004. HITECH went into effect in 2009.
Why does one get safe harbor from the Breach Notification Rule if encryption is used? The answer probably lies in the fact that encryption is a pretty good way of preventing unwanted access to data. And, unlike password-protection, it has serious teeth behind its security.
How serious? In Windows, you can literally overcome password-protection in a matter of minutes if you’re willing to get your hands dirty. If your desired level of physical exertion involves a couple of clicks on the mouse and inserting a CD, it might take you maybe 10 minutes. But encryption?
It’s estimated that in order to break 128-bit AES, you’d need all the computing power in the world and chug numbers for at least a couple of centuries to even begin talking about making a dent. That’s pretty strong.
Of course, it could also be some kind of apocryphal story based on lots of flawed assumptions and back of the envelope calculations. On the other hand, the National Institute of Standards and Technology (NIST) published in 2007 that 128-bit AES encryption and its equivalents will protect data beyond the year 2030. It pales in comparison to a couple of centuries, but I’d take it over a couple of minutes any day (notice, though, that 200 years from now lies beyond 2030).
Plug: AlertBoot uses 256-bit AES encryption for its computer disk protection. Not too shabby.
Related Articles and Sites: