HIPAA Encryption: Netbook Causes Data Breach At Caledonia Home Health Care & Hospice.

Netbooks.  They went the way of the dodo bird when Apple’s iPad made its debut to cheers as well as jeers (I remember how everyone kept saying it was just a humongous iPhone.  I guess Jobs showed them).  And while netbooks might be the ugly duckling that never became a swan, there’s millions of these devices out there.

Including at least one at Caledonia Home Health Care & Hospice (or rather, I know they used to at least have one…because it got stolen).  The device that had been issued by Caledonia, which I assume is a HIPAA covered entity, was not protected with HIPAA compliant encryption software.

Nurse’s Home Broken Into

According to the breach notification letter from Caledonia, patient information was lost when a “work issued netbook” was stolen from a nurse’s house.  The device contained PHI, including Social Security numbers.  The police were notified of the theft.

The netbook was password-protected, and it appears that the file holding the PHI was password-protected as well.  Unfortunately, password protection isn’t really considered to be protection when it comes to digital data, and is definitely not applicable for safe harbor from the HIPAA Breach Notification Rule.

HIPAA Encryption: Breach Notification Rule, Fines Driving It

Over the past couple of years, many HIPAA covered entities (and their business associates, BA) have increasingly begun to deploy encryption software to protect their data on laptops and external hard drives.  This is despite the fact that computers like laptops have been used in medical settings for decades.  What’s driving this sudden interest in encryption?

Sadly, it’s not patient protection; if that were the case, encryption software would have been in use by most medical organization decades ago.  Rather, the impetus lies in self-preservation: the Department of Health and Human Services has basically made it impossible not to use it.

First, it has essentially admitted that only encrypted data will be thought of as “protected ePHI.”  While the HHS keeps stating that covered entities and BAs are not required to use encryption, regulation such as the Breach Notification Rule makes it impossible.

Second, the HHS has begun to wield their power to hand out fines.  With up to $1.5 million as a potential penalty, hospital administrators are beginning to take notice.

Sometimes You Just Can’t Do It

The thing is, sometimes you just can’t protect a device even if you want to, and I guess that most netbooks fall into this category.  Apple’s iPads and their Android brethren are designed with security in mind.  Same goes for smartphones.

Computers are not really designed with security in mind, but third party software does an admirable job, especially because hardware power has increased.

Netbooks, on the other hand, are underpowered laptops (which, remember, were not really designed with security in mind).  Because they have been hamstringed hardware-wise, encryption software may directly compete for computing resources, slowing down the device to a point where it’s less than useless. (What’s worse that a computer that’s about as useful as a doorstop?  A computer that’s about as useful as a doorstop that is running hot).

What this means is that hospitals that made the terrible, in hindsight, decision to buy netbooks could be caught in a bind: they have a resource they have to use, but they can’t use it if they encrypt it.

There are only two solutions to this dilemma: either retire the machines or use an encryption solution that won’t bog down the netbook.

Related Articles and Sites:


Comments (0)

Let us know what you think