Why is PHI encryption recommended by the HHS, Office for Civil Rights, HIPAA experts, and just people in general? It’s because encryption software can act as a safety net for unforeseen data breaches, as the following story shows.
Coordinated Health, a network of hospitals that has seventeen locations all over Pennsylvania, has announced a second data breach in one month. In the first instance, which was announced towards the end of March 2014, they were victims of an office burglary. A free pass could be given to Coordinated, though, seeing how “someone pried open a cabinet” to steal money and patient information (although, the latter has to make you think that perhaps petty cash was not at the root of the illegal caper).
However, this second PHI breach won’t illicit such sympathy seeing how an unencrypted laptop computer was stolen from an employee’s car, affecting over 700 people. With so many documented cases of laptops (or any object of value, really) having been stolen from cars, it’s a wonder that we’re still reading of such data breach vectors.
Email Attachment Cause of HIPAA Breach
Actually, perhaps I’ve misspoken on showing sympathy to Coordinated Health. If you read the explanation of what occurred, you’ll see that the cause of the HIPAA breach is ultimately tied to “an email message with an attached file of 733 patient files.” (lehighvalleylive.com).
Assuming there was no other information that would violate HIPAA Security Rules, it makes sense that one wouldn’t find HIPAA compliant disk encryption software on the laptop: the computer in question was not supposed to hold PHI and so most encryption solutions would have been unnecessary. Perhaps the use of VPN would have been warranted if the laptop was serving as an endpoint for connecting to a central server, but the lack of PHI on the device itself means that HIPAA risks were significantly lowered, if not non-existent. And, at the end of the day, that’s what HIPAA is looking for: lowering risks to a manageable level. It certainly does not require 100% protection of sensitive data. (It would be impossible to reach the 100% mark, to be honest).
On the other hand, covered entities face, and have always faced, problems when it comes to controlling employee actions. Computer usage policies and data security policies are drafted to delineate what is, and what is not, allowed, but people break these policies all the time, often unknowingly, sometimes purposefully. Knowing this, does it really comes as a surprise that an employee’s laptop computer contained, surprise!, PHI?
Risk analysis is great and all, but at some point you’ve got to wake up and smell the coffee: maybe you’re risk analysis is leaving certain important parameters out. Laptops that even have the remotest chance of storing PHI should be encrypted.
Related Articles and Sites: