Sutherland Healthcare Solutions (SHS), a billing contractor for the Los Angeles County, has offered a reward of $25,000 for the return of computers stolen from their offices. The data breach was initially reported as affecting approximately 170,000 people; the number has been revised to 338,700. All of this because HIPAA desktop encryption was not used to properly protect PHI.
Eight Desktop Computers Stolen. What About HIPAA?
Previous reports on the SHS breach were vague on the details. Further reporting two months down the line shows that the computers stolen from SHS offices are “computer towers,” more specifically HP Pro 3400s. According to the specs, the dimensions of this particular computer are 368 x 165 x 389 mm (or 14.5 x 6.5 x 15.3 inches) and weighing a little under 16 pounds. In other words, it’s the size of a big encyclopedia volume.
Installing HIPAA data encryption software is a cinch. And, the use of data encryption provides safe harbor from HIPAA’s Breach Notification Rule. So, why were these computers not protected?
The argument is often made that desktop computers do not need encryption because (a) HIPAA technically doesn’t require the use of encryption and (b) desktop computers are not easily stolen. Furthermore, it would be incredibly easy to spot such a theft, preventing the breach from occurring while it happened.
Except that that is not how it usually unfolds. The article that covers the breach at latimes.com shows one man who’s suspected of stealing the computers. In the individual frames of the surveillance footage that were made available, he’s holding a black bag that was undoubtedly used to moving the desktops to and fro, one by one.
He probably made eight trips, at least – earlier reports noted that computer monitors were also stolen – meaning that there were at least eight individual instances where, in theory, he could have been stopped. Anecdote may not be proof, but instances where desktop computers are stolen from offices are so common that the myth of “desktop computers cannot be easily stolen” should die a fiery death.
Is Encryption Really “Not Required”?
Now that we’ve covered aspect (b) of the argument, let’s turn our eyes to aspect (a) of the ” desktop computers do not need encryption” argument.
Is encryption really not required under HIPAA rules? The technical answer is no. Under HIPAA Security rules, the use of encryption is an “addressable” issue, not a required one. However, “addressable” differs from a layperson’s definition. “Addressable” under HIPAA really means “it is required unless you can prove that something else will work just as well.”
Consider this other found at hhs.org on whether encryption is mandatory under the Security Rule (my emphases):
No. The final Security Rule made the use of encryption an addressable implementation specification…and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.
As you can see from the above, encryption is not required…but you need to use an “equivalent and alternative measure” to secure the data. What people are confusing is interpreting “encryption is not mandatory” with “data security is not mandatory.” The latter is required, the former not…but, then again, the latter is required if one wants to take advantage of the safe harbor under the Breach Notification Act since only encryption and data destruction are apply.
Related Articles and Sites: