Medical Establishment Break-in
Bay Area Pain Medical Associates, according to phiprivacy.net, has contacted patients that three desktop computers with patient data were stolen in May of this year. Because HIPAA/HITECH provides safe harbor from the Breach Notification Rule for any PHI (protected health information) that is guarded with encryption software, one can assume that the information was not properly protected.
The assumption in this case would be partially wrong.
According to the notification letter Bay Area Pain Medical Associates is sending out, “all medical records were encrypted and inaccessible, [however] we believe one Excel spreadsheet containing approximately 2,780 patient names” was not.
What we can tell from this admission is that full disk encryption was not used, as this particular encryption technology protects a computer’s entire hard drive (the hardware where data is stored for the long term). Chances are, file encryption was used to protected individual files (or possibly, folder encryption, where a select folder or folders are encrypted, along with anything that is placed inside of it).
File/Folder Encryption vs. Disk Encryption
Does this mean that disk encryption is superior to file encryption or folder encryption?
They have different uses. If you’re looking to protect your files from being stolen wholesale (i.e., a stolen computer triggers a HIPAA breach), then disk encryption is a no-brainer. However, disk encryption cannot protect a person from instigating other types of HIPAA breaches. For example, if a file has to be sent via email, disk encryption cannot help – the correct tool would be to use file encryption.
Just like a chef has a number of different knifes that essentially do the same thing (cut stuff), there are different encryption tools that are made for a particular purpose. The correct approach to data security is to use these as needed.