One of the most unfortunate types of data breach cases I come across are those that involve instances where PHI encryption for laptops was used but still resulted in a HIPAA data breach, like the following one at the Michigan Department of Community Health.
According to the entry at phiprivacy.net, an employee of the Ombudsman’s Office at State Long Term Care experienced a burglary. The thief took a laptop computer and a flash drive. The former was protected with encryption software, as many covered entities have done in light of the final Omnibus Rule.
The flash drive, however, was not encrypted. A total of 2,595 people, living and deceased, were affected by this latest PHI breach.
Personal Data Stolen, Laptop and Drive Not Recovered
The stolen information included people’s names, addresses, dates of birth, SSNs, or Medicaid IDs (although not all were affected). The burglary occurred around January 30th, with MDCH learning about it on February 3rd. As of the press release announcing the data breach, April 3, the devices were not recovered.
And, chances are that they won’t be. For the flash drive, the chances of it being recovered are close to nil. For the laptop, assuming some other type of laptop security protection software was employed in addition to the encryption — such as a tracker — the odds of recovery are higher but can still be pretty low.
For example, the use of Absolute Software trackers could lead to a 75% recovery, if you believe the manufacturer’s claims. The only caveats here are that (a) we have absolutely no idea how long it takes to recover the device (is a day, a week, a month?), (b) it’s not foolproof. The use of a Faraday cage-like device or going into a basement may be enough to defeat the technology, and (c) recovery falls outside of the safe harbor requirements under HIPAA. This last one requires the use of encryption (or data destruction) to go into effect.
Still, the technology is much more impressive than conventional tracker software for your laptop, which generally tends to “track” the last known IP address, seeing how these devices don’t come with a GPS module, and are not as accurate in terms of pinpointing a device’s location.
Full Disk Encryption Has Blind Spots
With HHS (and their OCR branch) heavily promoting the use of HIPAA encryption, it’s kind of hard for the layperson to understand what went wrong here. Encryption appears to have been used, but one still had a data breach. Yes, the flash drive was at fault, but…wasn’t the data encrypted when it was transferred from the computer?
In order to make sense of what’s going on here, one needs to understand the basic concepts of the underlying technology. There are many different types of encryption. There is full disk encryption, which was probably used to protect the laptop’s contents. As the name implies, full disk encryption (usually abbreviated to FDE) encrypts the entire content of a hard drive. To be more specific, it encrypts the hard drive itself; because data is stored in the hard drive, they end up protected, too.
This distinction is very important, as it explains why the flash drive’s contents were not protected. Since it’s the hard drive that’s encrypted and not the data, when you copy the data over to another storage device, such as a flash drive, that information is not encrypted anymore.
Is there a way to encrypt the data? Absolutely. There are technologies that encrypt data, such as file encryption. Generally, it’s a less optimal way of protecting an entire device’s data. Thus, they tend to work in tandem: FDE for the laptop, file encryption for any files that are making it off of the laptop. This way, one of the top weaknesses of FDE is shored up.
Related Articles and Sites: