HIPAA Security Breach: Encryption Is Nothing Without Proof.

If you’re somehow involved in the medical sector, chances are that you or your business comes under the purview of HIPAA.  And while there are many aspects to it, when it comes to ePHI, the odds are that it’s been drilled into your head: encryption, encryption, encryption.

PHI data encryption is the only guaranteed way to obtain safe harbor from the Breach Notification Rule, which obligates HIPAA covered-entities and business associates to report any instances where patient information is breached (or, technically, is believed to be breached).

Except that it’s not really a guarantee.  The use of encryption software is merely the first step.  There’s a little technicality that trips a lot of people: you have to be able to provide documentation (i.e., proof) that the PHI was encrypted at the time of the breach, whether it was a stolen laptop, a misplaced smartphone, missing backup tapes, whatever.

An Example: UC San Francisco Laptop Theft

Take for instance, the following statement from UC San Francisco (UCSF) regarding the theft of a laptop computer that stored ePHI (my emphases):

UC San Francisco is alerting some individuals to the theft of a physician’s personal laptop computer that contained personal and health information.

While the physician believed the laptop was encrypted, this could not be confirmed. As a result, the individuals involved are being notified.

The security of protected health information at UCSF is of utmost importance. While there is no evidence at this time….

(You can read the rest here).

Basically, this is UCSF saying that they weren’t able to take advantage of safe harbor because they weren’t able to prove that the doctor’s laptop was encrypted at the time of the theft.

The use of “believed” in “the physician believed the laptop was encrypted” can be interpreted in multiple ways, but ultimately it stands that, if UCSF had been able to prove the use of encryption, it wouldn’t be sending out notification letters, regardless of what the doctor thought, believed, imagined, etc.

So, how does one prove that a laptop was protected with encryption when it got stolen?

HIPAA Breach Prevention: The Status Log

The easiest way is to do what AlertBoot FDE and MDM does: provide an audit log that shows the encryption status whenever it connects to our central server.  Among other things, laptops and smartphones protected with AlertBoot connect with management servers every 24 hours (or when prompted by force).  This is to ensure that the latest security policies are pushed out to all endpoints, ensuring that clients are not blindsided.

Since devices report their statuses every 24 hours, and there’s a list of such entries going to the first day the device was first protected, it doesn’t take much to extrapolate and conclude that a device was encrypted at the time something went awry.

This contrasts with standalone encryption software.  Yes, they are NIST-validated.  And, yes, they’re effective at securing data.  And, yes, people who use these solutions can pat themselves on the back for looking out for their clients’/patients’ digital welfare.

But, no, there’s no failsafe, foolproof way to prove that encryption was used.  And that matters when it comes to HIPAA regulations and fines.

Related Articles and Sites:
http://www.phiprivacy.net/ucsf-notifying-8294-gastroenterology-patients-whose-pii-and-phi-were-on-laptop-stolen-from-doctors-car/
http://www.ucsf.edu/news/2013/11/110386/laptop-computer-theft-ucsf

 



Comments (0)


Let us know what you think