The other day I offered a short analysis of 29 new entries to the HIPAA Wall of Shame. Among them, one entry specifically was so large that it overwhelmed the analysis (and led me to ponder whether it should be classified an outlier or not). It was also one of those instances where whole disk encryption like AlertBoot would have prevented a data breach.
So, why wasn’t FDE used? As a story in the latimes.com shows, there were other security measures in place. Of course, that didn’t prevent the two laptops at the center of the data breach that affected 729,000 patients. But this led me to the question: could FDE be given short shrift because it’s not multifunctional enough?
Laptops Stolen from AHMC Hospitals
Two laptops were stolen from AHMC hospitals, causing the PHI breach of 729,000 people. The laptops were stolen on October 12. So far, things sound very familiar to the point of banality (not that data breaches should ever reach that state…but that’s the times we live in).
Except, AHMC had plenty of security in place. According to the latimes.com (my emphases):
The thieves swiped the laptops from a video-monitored sixth-floor office on a medical campus that officials said is “gated and patrolled by security.”
Gary Hopkins, a spokesman for AHMC, said the hospital group called Alhambra police as soon as the theft was discovered Oct. 14. Security video showed that the theft occurred Oct. 12.
AHMC Healthcare had already asked an auditing firm to perform a security risk assessment and it was following the recommendations, officials said. Administrators will now expedite a policy of encrypting all laptops, they said
So, based on the above, it sounds like encryption software was being used, just not on all laptop computers. Furthermore, there were physical restrictions (“gated” and “security” personnel) and non-physical ones as well (security cameras). While AHMC was not following best practices, one could argue that they were following HIPAA protocols. After all, HIPAA doesn’t require perfect security.
Physical Security is not Data Security
Consider what was in place at the time of the data breach:
- Video monitoring, which we can assume was not actually being monitored in real time…so perhaps we should refer to it as video “monitoring.”
- Security guards making their rounds.
What’s a common factor among these? They’re “multifunctional.”
The video monitoring can be used to track people who are looking to steal laptops, but also people looking to break into medicine cabinets or monitoring people’s behavior in general. Security guards can prevent thieves from coming in or going out, but can also be summoned in case of other disturbances. Doors are multifunctional in many ways, including granting privacy, tamping down ambient noise, securing assets, etc. The point is, it wouldn’t be hard to convince management to open up the company’s purses when it comes to traditional security.
Full disk encryption is anything but, however. It’s a tool that does one thing, and one thing only: it ensures that unauthorized people do not access a device’s contents, especially in the event said device is lost or stolen. Plus, it doesn’t work to protect data if you have to send something via email (you’d either need email encryption or file encryption), and – depending on the encryption solution – data copied off of an encrypted laptop poses a risk, since such data usually falls outside of the solution’s reaches (but not with AlertBoot: USB memory devices are automatically protected, assuming the setting is turned on).
So, making the case for laptop disk encryption, when other options seem to provide more bang for the buck, can be a hard task. On the other hand, the right encryption solution is guaranteed to prevent a $1.5 million HIPAA fine if (or when) the time comes. Video cameras, doors, and security guards don’t offer that.
Related Articles and Sites: