American Family Care of Birmingham, according to phiprivacy.net, has announced that a pair of laptops stolen over this summer contained sensitive patient information. Based on the fact that the breach has made it to the media at large suggests two things: (1) HIPAA encryption software like AlertBoot was not used on the laptops and (2) the breach involved more than 500 people. These conclusions are based on HIPAA and HITECH requirements covering medical covered entities, which provide a loophole for lost but encrypted data, and a requirement that the media be contacted if more than 500 people are affected.
Laptops Stolen from Vehicle
While many details are lacking, a number of things are clear: the laptops were stolen from an employee’s vehicle, which is exasperating. While I don’t keep quantified track of such stories, I’m under the impression that I’ve heard of this particular HIPAA data breach at least every quarter since 2007. When you take into consideration that not all breaches are made public (even if they should be, according to the law) or that I’ll miss a story because my news filters don’t catch it, once a quarter probably doesn’t even begin to approach the actual number of data breaches caused by laptop thefts from cars.
I must rant; I can’t even begin to understand why such stories even exist: laptop disk encryption is cheap and plentiful, and does a great job of safeguarding data from being accessed by unauthorized parties. As an added incentive, HIPAA covered entities are given safe harbor from – let’s admit it, pretty onerous data security and reporting duties – if encryption is used. Plus, any idiot can see that a car’s trunk, passenger seat, back seat, etc. is not exactly part of a company’s data security perimeter.
There’s Questionable Data Security Advice Out There
Of course, there could be a logical explanation why American Family Care didn’t use laptop encryption on these two machines: perhaps they weren’t supposed to have any sensitive data on them. Look at this part of the breach announcement (my emphasis):
The company also stated no evidence points to the information being accessed, but it was discovered in August that the laptops might contain certain patient information…
In other words, they’re not really sure (or they don’t want to admit to it). Why are they not sure? Who knows. What I do know is this: rarely do people follow data and computer policies to a “T.” It’s not that people are less than honest, or idiots, or lazy, or whatever (although they can be). Often times it’s because the same policies can be contradictory, or because they impede the carrying out of duties, or because they’re so long and complex that the policies cannot be followed.
From a security and policy standpoint, one should use the approach that realistically minimizes a particular risk (as opposed to one that works in theory). When it comes to laptops in the workplace, contrary to certain advice out there, I think that all laptops should be encrypted.
Why? Because there’s no way to guarantee that a laptop computer will not store sensitive data on it. It could be downloaded from the internet, or from a USB stick, or from an email attachment. It could be done on purpose, or by accident, or just “temporarily” parked when the unfortunate event descends. Just encrypt the laptop and you’re covered, no matter how the data ended up on the machine, or how the machine ended up in an unauthorized individual’s hands.
Of course, this doesn’t mean that you just “set it and forget it” – you’re not handling a rotisserie chicken here. There are a number of security procedures, processes, actions you have to commit to. But in the event that things go wrong, you’ve still got a way out that pays extremely high dividends: protection of the stolen data; compliance with regulations; no need to alert anyone – and consequently, no frivolous lawsuits; no investigation by the regulatory body; and more.
Related Articles and Sites: