Anchorage Community Mental Health Services (ACMHS) has settled with HHS/OCR over potential violations of HIPAA. Of course, HIPAA settlements are not interesting in of themselves, per se, but because of the accusations that led to them. In this particular instance, it appears that the covered entity was hammered for not updating their software and keeping an eye on potential data security risks. The implication for medical disk encryption is that the installation of cryptographic solutions on laptops and other mobile devices is not the end of a covered-entity’s encryption operations.
Regularly Update IT Resources
ACMHS’s problems started when malware compromised the covered-entity’s systems in 2011. Over 2,500 people were affected by the data breach and OCR opened an investigation. The investigation revealed that:
…ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.
An OCR director had this to say regarding the case:
“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis…This includes reviewing systems for unpatched vulnerabilities and unsupported software…”
Of course it is common sense to check how things are periodically. With this latest action, however, the implication is that it’s more than that. It has veered from being common sense to a duty. If I’m reading correctly between the lines, if you’re not checking to make sure things are secure, the OCR will go after you.
Which makes sense. After all, HIPAA requires that covered entities (and business associates) be proactive regarding PHI security. That’s why CEs are supposed to conduct a risk assessment each time risk conditions change. That’s why they dangle safe harbor as a carrot for any laptops that are lost but happen to be protected with strong encryption. It’s why Security Rule policies are supposed to undergo review periodically.
The Disk Encryption Conundrum
When it comes to disk encryption software, most IT departments tend to check on a couple of things such as (1) whether their machines are, in fact, encrypted and (2) if there are any machines that are not encrypted but should be (e.g., a comparison between the list of encrypted machines and how many machines are actually being used). In keeping with Security Rules, they may run an audit periodically. My guess is one would be hard pressed to find a CE’s IT department that also keeps up with encryption bugs and other obscure things as well. After all, the average IT department is busy with day-to-day operations; they don’t have the time to stay on top of issues that rarely pop up.
It doesn’t happen often but encryption software can need fixes, too. Could this “lack of upkeep” come back to haunt a CE? I imagine that the answer is “no,” but who’s to say what’s going to happen in the future? One thing I can foretell is that CEs who’ve outsourced their disk encryption will be in a better position because encryption shops stay abreast of such issues.