As the deadline for complying with the HIPAA Final Omnibus Rule looms ever closer, experts are weighing in with their opinions. The site healthcare-informatics.com has published an interview with a lawyer who notes that forensics is one of the most difficult elements of dealing with a PHI data breach and that “federal officials are very open about the fact that these heavy penalties are intended to promote encryption.”
Proof of No Breach
In the interview with healthcare-informatics.com, Kathryn Coburn, a lawyer, noted that one of “the most difficult elements [in addressing a data breach] is the forensics” and gave the following example (my emphasis):
[M]aybe you had 40 laptops that were stolen from a facility [that didn’t get out of the building and were eventually recovered]…you have to figure out whether someone looked at the PHI. In many cases, you can prove that nobody looked at them, in many cases, and then you don’t have to give any notice of breach…. It’s easy to say the information wasn’t compromised, but if you can’t prove it, you’re still going to have to give notice of breach.
This is probably an oft-overlooked requirement, and possibly the leading reason why a HIPAA covered-entity will announce a data breach even when they claim their PHI was protected with encryption software. (The other leading reason would be finding that the encryption that was used did not meet up to HIPAA’s standards, which are essentially NIST’s standards).
Under HIPAA you must document your reasons for an action. For example, you’re not required to use encryption software to protect PHI stored on a laptop. However, you must have a very good reason for it…and it must be documented. Remember, under the Security Rule, HIPAA makes encryption an addressable specification. There’s very little you do not document under the Security Rule.
But, the question remains: even if you have encryption installed on a computer – and one that is validated by the NIST as conforming to their standards – how do you prove that it was not accessed between the time it was stolen and the day it was recovered?
With a solution like AlertBoot Full Disk Encryption, it’s quite simple: you run a report. Although AlertBoot FDE is a cloud-managed FDE service, the cloud portion is used for installation, deployment, and management. The encryption itself is free-standing, meaning it will work regardless of the computer being connected to the internet. The time and date of when someone accessed the computer is also tracked, and whether the logging into the computer was successful.
This data, along with the fact that AlertBoot remains a third party, absolves the client from most problems, including the possibility of adulterating the data.
Penalties are Intended to Promote Encryption
One of the more eye-opening remarks was the following Q&A:
It seems that the number of breaches is growing significantly.
Oh yes, it’s dreadful. That’s why encryption is so important. And federal officials are very open about the fact that these heavy penalties are intended to promote encryption. And they don’t refer to any specific type of encryption; they do refer to the NIST [National Institute of Standards and Technology] standard.
Of course, I’ve already noted before that the HIPAA OCR Director said “we love encryption, and those who use encryption love it, too.”
Regardless, to find a lawyer going on record saying that heavy penalties are there to promote encryption is a bit shocking. It makes me wonder why the government is going around it in such a roundabout way. Why not just require encryption? Would it just be easier?
And more effective, too.
Related Articles and Sites: