A dental practice in Florissant (a suburb of St. Louis, Missouri) has revealed that a recent data breach could involve 10,000 people. The medical data breach was possible because patient data encryption software was not used to secure laptops that were stolen during a burglary.
Mostly Affected are Teenagers, Password Protection was Used
According to stltoday.com, an attorney that is representing the orthodontist’s office has confirmed that “extensive investigation[s]” had to be performed to see who was affected by the burglary, although he did mention that “most of the patient were probably teenagers,” which makes sense when you consider who generally gets orthodontic treatment (think: braces).
HIPAA rules do not discriminate based on age, however: since the computers were not protected with disk encryption software – but only with password-protection, which is easily “crackable” – Olson & White are forced to report the data breach not only to patients but the Department of Health and Human Services (HHS). In this case, because more than 500 are affected, the HHS has to be contacted immediately. Furthermore, certain other rules may apply, such as having to contact a media outlet to get the news out.
Why does the use of encryption software give a medical organization a way out from report a data breach? Legally, it’s because the Breach Notification Rule (found under the HITECH amendments to HIPAA) offers safe harbor from reporting a medical data breach if encryption is used.
From a technical standpoint, it’s because encryption offers one of the best ways of protecting digital information. The use of strong encryption software – like AES-256 – is considered to be unbreakable with modern computing tools. Testing by cryptologists, that continues today, has upheld this theory so far. Under the circumstances, chances are that PHI encryption can easily prevent data on stolen or lost laptops from falling into the wrong hands.
Why Do HIPAA Covered Medical Entities Forego Encryption?
Simply put, medical organizations will demur at the use of encryption because of cost. Not only financial cost – like actually paying for the encryption licenses – but also for other costs, such as opportunity costs. For example, if facing a tight budget, money diverted towards non-performing expenses like security software could mean having to give up on hiring a dental technician or the latest x-ray machine that could speed up consultations and treatment.
Furthermore, there is the added problem of hidden cost when deploying encryption: most encryption providers only list the cost of licenses (usually per machine or device to be protected, sometimes per user, regardless of how many devices are involved) but the encryption budget needs to cover things like central management servers, the software that is required to ensure such servers can to their job (the underlying operating system, for example), space for the server in a data center, etc. Hidden costs can also include the hours worked by an IT technician as well as any ongoing operational and maintenance costs.
Since data breaches may not affected a medical organization for an extended period of time, many myopically decide to forego encryption, possibly thinking that it won’t happen to them, or promising that they’ll do it “soon.”
Of course, it doesn’t have to be that way. AlertBoot FDE complies with HIPAA encryption requirements (namely, it’s a FIPS 140-2, NIST validated solution) and states all costs upfront.