While I don’t mean to pick on Colorado Neurodiagnostics, a Colorado company that recently experienced a patient data breach, the short article announcing the loss of their computer with medical data illustrates how one can conclude that HIPAA laptop encryption was not used.
Colorado Neurodiagnostics PHI Breach
According to denverpost.com, a Colorado Neurodiagnostics laptop containing “patient names, dates of birth and clinical information” was stolen (the article doesn’t give details on when, where, or how). Other information, such as SSNs, financial information (usually credit card numbers), addresses, or phone numbers were not stored on the machine.
The article notes that password protection was used to secure the data. The problem with this statement, though, is whether password protection was linked to medical encryption software, such as AlertBoot full disk encryption. The difference in security is the difference between night and day.
Password protection, if you will, is like hiding a house key under the welcome mat: check the usual places, and there’s a very realistic chance that you’ll find a way in. Bypassing the usual password protection login prompt can be as simple as removing the hard disk from a computer and wiring it up to another one (it takes maybe 15 minutes and $5 worth of tools and cables).
In contrast, using encryption software is like putting a moat with sharks around the house: if you know the password, you can get the drawbridge to be lowered down. Otherwise, there’s no realistic way in.
Why would one use one over the other? Well, for one, they look the same. Like a brand new car that’s missing its engine, you can’t really tell that encryption is not linked to the password protection prompt just by looking (unless you crack open the hood).
So how can one tell? Well, when it comes to covered entities, you can tell because they make an announcement and otherwise contact affected patients.
HIPAA Data Security: Encryption Gives You a Free Pass
Under the federal statute known as HIPAA, a medical organization is required to do the following if patient data is lost, stolen, or otherwise unaccounted for:
- Notify the Department of Health and Human Services, which oversees HIPAA.
- Notify the people affected by the data breach.
- Make a public announcement if over 500 people are affected or if it’s impossible to notify them individually.
The one caveat is that all of the above become optional if encryption is used to secure the data. In other words, HIPAA covered entities that used encryption can choose whether to go public with the news of the data breach or not (and you can bet they do not. Among other things, admission to such a breach invites a federal investigation, possibly resulting in a fine up to $1.5 million, not to mention lawsuits from those who were affected).
The fact that Colorado Neurodiagnostics made the announcement indicates that encryption was not used to protect patient data. Based on the information that was stored on the stolen laptop, perhaps Colorado Neurodiagnostics didn’t think it was necessary to use encryption, although others may present a different opinion.
And that’s how you can tell.
Related Articles and Sites: