HIPAA encryption software: although HIPAA does not require the use of data encryption, the rules also make it impossible not to use it when dealing with electronic PHI. And, the Final Omnibus Rule was changed so that business associates and their subcontractors are liable for breaching ePHI if encryption is not used.
And for a good reason, as the following story shows.
Indiana Family and Social Services Administration Data Breach: 188,000 Clients
A number of websites are reporting that the Indiana Family and Social Services Administration (FSSA) has experienced a data breach. A total of 187,533 people are being notified that their personal information may have been disclosed “as a result of a computer programming error by a business associate” (databreachtoday.com) and approximately 4,000 SSNs may have been compromised.
Also potentially compromised: names, contact information, case numbers, dates of birth, gender, race, medical information, financial information, and other data.
Seeing how the FSSA is in charge of Indiana’s Medicaid program and also coordinates a number of medical services, it’s surprising that the damage wasn’t greater.
Obviously, this is one of those instances where the use of encryption wouldn’t have helped. Indeed, it’s hard to believe that any type of data security software could have prevented its occurrence (which, according to databreachtoday.com, could be the largest data breach of 2013).
Yes, it’s a different beast from the other data breach the FSSA experienced in 2012, when a laptop with PHI on 757 people was stolen.
A Matter of Controlling (Not Eliminating) Risk
The truth of the matter is that sometimes a data breach will take place, regardless of how much security you have in place. It could be due to a software bug. Or because the person you trusted decided to ignore computer usage policies, such as leaving the office with a laptop that contained sensitive data. Or because your antivirus was not up to date.
The ways to a data breach are myriad. The point of data security software and tools, though, does not lie in eliminating data breaches. The point is to reduce it to an extent that it won’t be a problem (or at least, not too problematic).