Minnesota Senator Al Franken (and former SNL alumn) is considering legislation, at the state or federal level, that would require the encryption of laptops containing private medical information. In other words, a solution like full disk encryption from AlertBoot.
Consequence from Accretive Health Data Breach
Various sources, including washingtonexaminer.com, are reporting that Sen. Franken has expressed his interest in pursuing “legislation or federal regulations requiring encryption of all laptops containing private medical information ” after he questioned executives from Accretive Health and Fairview Health Services.
I’ve pointed out many times in the past that current legislation does not mandate the use of encryption software when it comes to securing sensitive medical data. Even HIPAA, as amended by HITECH, only strongly recommends its use.
In reality, HIPAA / HITECH mandates the use of encryption but in name only. You’d think this would prompt everyone to use encryption, but no; when you give some wiggle room, you always get people who try to get through it. Which is why the Department of Health and Human Services — charged with enforcing HIPAA — should just come out and make it mandatory. I mean, why are they not taking the ultimate logical step?
Well, honestly, I can see how cost would be an issue, especially for the smaller organizations and private practitioners. But, then, it’s not the Department of Health, Human, and Hospital Finance Services, is it?
Will It Help, Though?
The problem with requiring the use of laptop encryption on all portable computers? It’s not a silver bullet:
Sen. Franken asked numerous questions about the stolen laptop and other missing laptops reported by Accretive. All but one laptop was encrypted, Accretive replied, and that was due to the oversight of a single employee in its IT organization who has since been fired. Accretive has put into place new policies and procedures to insure redundancy to make certain all laptops are encrypted. [insidearm.com, my emphasis]
Of course, one has to wonder whether Accretive is telling the truth. After all, honest companies don’t get roasted by a Senator and buy the wrath of the state Attorney General. On the other hand, verifying the veracity of the statement wouldn’t be hard (at least, not with a solution like AlertBoot where you get real-time laptop encryption status reports), so I can’t imagine Accretive being less than forthright on this matter.
On the other other hand, what are the chances that the one laptop that was not encrypted happened to get stolen? (As my stats professor used to say, probably low but not entire impossible.)
But, that’s not the point. The point is, a mandate that all medical laptops be protected with whole device encryption does not guarantee that data will be protected. You can have mistakes like the one above or companies that outright ignore the law.
And, yet, it’s the only logical step to take. Encryption is a de facto requirement under HIPAA. And, while not the perfect weapon against data loss, the use of encryption does reduce data breaches: they’re almost 100% effective when it comes to stolen or missing laptops, which account for over half of all data breaches reported to the HHS that involve more than 500 people.
P.S. – As an aside, does the Washington Examiner think this is a joke? Why would their article on Sen. Franken’s desire for mandatory laptop encryption pop up under “entertainment”?
Related Articles and Sites: