As I’ve often noted, you can’t eliminate systematic risk, a term I’ve borrowed from my college economics classes and which refers to a risk inherent within a system. When it comes to HIPAA data breaches, it means that try as you might, certain risks will always remain, no matter what. The following case is a reminder of that, and why using medical data encryption is always better than physical and policy-based security practices.
Breach Notification because of Earthquake
According to phiprivacy.net, the Napa County Health and Human Services Agency is sending breach notification letters to Home Supportive Services clients. The notification mentions that a flash drive was lost “in the rubble after a big earthquake.” The information on the thumb drive was not encrypted.
It is amazing that the agency even figured out the loss of the drive, seeing how “the loss was discovered on August 27, three days after the earthquake, when the agency attempted to deal with the rubble in its office (which remains unusable from the damage).”
Why not Use Encryption?
Why was encryption software not used to protect the contents of the USB drive? Chances are, because the employees were trustworthy and the agency had a data security policy that prohibited taking any data outside of the agency’s grounds. This is a commonly used data security policy and a good way to lower the risk of a data breach. The problem is, though, that some organizations use it as a replacement to technical solutions.
The thought process, apparently, goes like this: the employees will follow the policies (especially because they’re being reminded and educated on the issue periodically); the employees are 100% dependable; thus, the data will not leave the organization’s grounds; the organization’s grounds are protected from outsiders; conclusion: there’s no way you can have a data breach from a small data storage device.
Assuming all of the above is true, however, you still have to deal with systematic risks such as earthquakes, like Napa County. Or a flood, for that matter. It was four years ago that another covered entity had filed a breach notification with the HHS, noting that their computers and paper documents had disappeared when their offices were hit by a flood.
Unlike Napa County, however, they had encrypted their computers, nipping an electronic data breach in the bud. It goes to show that technical solutions bring a lot to the table, much more than a policy/behavioral based solution.
Related Articles and Sites: