Disk Encryption: Biannual Healthcare Survey Shows Jump In Electronic Device Data Breaches.

A survey by the Healthcare Information and Management Systems Security (HIMSS) organization shows that US healthcare organizations are experiencing increased patient data breaches, fed by the introduction and growth of electronic records.  The use of full disk encryption software like AlertBoot can counter such malignant developments, seeing how laptops and other portable devices account for 22% of the breaches.


Managed Disk Encryption for Healthcare: Something Not to be Ignored



According to the survey of 250 healthcare organizations, breaches over the past year broke down into the following (number in parentheses, where available, provide a contrast to 2010 results):




  • 40% – The improper disposal of paper records, such as “improper destruction”


  • 22% (10%) – Loss of data on laptops and handheld devices


  • 10% (6%) – Breaches by third-party vendors


  • 3% – Outside network attacks

Further questions showed the growing significance of electronic devices in healthcare when it comes to patient information breaches: in 2008, 2010, and 2012, respectively, the percentage of respondents indicating that portable devices would be the most likely contribute to a breach increased from 4% to 20% to 31%.


One of the easiest ways to comply with the HITECH Act that amended HIPAA is to use encryption software to protect PHI data.  However, just like you have numerous types of vehicles that are right for the job (for example, you wouldn’t call for a tow truck to transport a patient over an ambulance), there are different types of encryption depending on what you’re trying to protect.


For example, file encryption protects files one at a time.  If there are three files and you need access to one file, you only decrypt the one and the other two remain encrypted.  Because the protection it as the file-level, the information is encrypted if you copy the file to another computer, send it to email, copy it to a backup tape, etc.


However, if you have hundreds of files to encrypt, then it might make sense to just encrypt your entire computer.  That’s the idea behind hospital disk encryption: just encrypt the computer’s entire drive and you’re set.  The added convenience, though, comes at a price: because the files are only protected while in that protected disk, copying and emailing files off the encrypted disk means the information is not encrypted anymore.


Which is Better?  File or Disk Encryption?



Which is better?  I think most would maintain that full disk encryption is better for a number of reasons:



(a) There’s no guarantee that you won’t forget to encrypt a particular file.  With disk encryption, there is no such concern.  Either the entire disk — and its files — are encrypted or they’re not.  With file encryption alone…well, out of the 500 files you have, are you sure that each one is encrypted?


(b) There are more cases of devices being lost or stolen than files being sent to completely unauthorized people. Under HIPAA, emailing a patient’s files to the wrong doctor is a data breach.  So is a nurse looking up medical information on patients not under his or her care (people have been fired for that).  But, it’s not as big of a calamity as sending a patient’s data to a totally random guy, such as the bartender at your local drinking hole.  How many such instances have occurred?  It happens almost never.  How many laptops go missing by hospital employees?  I can’t give you a nominal number, but in 2011-2012, it accounted for 22% of all breaches.


(c) Temporary files are created and never deleted.  The temp files I refer to here are ones created by a computer system during its ongoing operations.  These are not directly created by people.  Since the system creates them, the system is also supposed to get rid of them…but it doesn’t always work that way.  And, their contents can be easily searched.


But, it’s still a tough call.  Like I noted before, you need to get the right one for you.  The best, without a doubt, is to use both of them.  Use disk encryption as a security foundation — to deal with the outcome of harried, forgetful employees and temp files, etc — and to use file encryption on those digital documents that you’re absolutely certain require encryption.



Related Articles and Sites:
http://www.networkworld.com/news/2012/041312-hospital-data-breaches-258270.html



Comments (0)


Let us know what you think