New Jersey: Health Insurance Companies Must Encrypt Data on Desktops, Laptops.

The new year brings us surprises.  According to nj.com, New Jersey governor Chris Christie has signed into law a requirement that health insurance companies encrypt client information.  As nj.com points out, The Garden State has been witness to a couple of massive data breaches in the past couple of years – incidents that could have been prevented with the appropriate use of cryptographic solutions like AlertBoot managed disk encryption for laptops and desktops.

Definitions

The bill that was signed into law carries a number of definitions, of which I’ll point out two:

Computerized record means any record, recorded or preserved on any computer, computer equipment, computer network, computer program, computer software, or computer system.

The word “record” is not defined, but it’s obviously a reference to things like personal information:

Personal information means an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or State identification card number; (3) address; or (4) identifiable health information. Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data

And, finally, a definition of what comprises an end user computer system:

End user computer system means any computer system that is designed to allow end users to access computerized information, computer software, computer programs, or computer networks. End user computer system includes, but is not limited to, desktop computers, laptop computers, tablets or other mobile devices, or removable media

The inclusion of desktops is unusual.  Of course, the definition is very conventional and straightforward as well, if you will.  After all, desktop computers are end user computer systems.  But its inclusion means that many, if not all, health insurance companies in New Jersey will have force their IT departments into a flurry of activity, as we shall see shortly.

The Law Itself

According to the bill’s language, a health insurance provider:

shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person. Compliance with this section shall require more than the use of a password protection computer program, if that program only prevents general unauthorized access to the personal information, but does not render the information itself unreadable, undecipherable, or otherwise unusable by an unauthorized person operating, altering, deleting, or bypassing the password protection computer program

and

This section shall only apply to end user computer systems and computerized records transmitted across public networks

Props to his law for indirectly educating people that there is a difference between encryption and password-protection!  And for other things as well.  As we’ve seen from the previous section, “end user computer system” includes desktops, laptops, tablets, smartphones, USB drives, and other devices.  Combine it with the above and it leads to only one conclusion: health insurance companies will have to encrypt any of the aforementioned devices if these store personal information.

This is huge news because, per my personal experience, rarely does a company decide to encrypt its desktop computers.  Reasons are myriad, but basically it comes down to the belief that desktops are not burglary targets.  This belief is, of course, wrong.  As a guy whose newsfeed is geared towards collecting stories of data breaches, I can tell you that desktop computer thefts happen more often than anyone is willing to believe.

And, when they happen, they tend to involve more than a handful of them.  It’s like nobody has placed any thought on securing desktop computers, so once the thieves can get to one desktop, they can steal as many as they can lay their hands on.

Smartphones Pose a Problem

The above law also places companies that allow the use of smartphones in an awkward spot.  If the company issues smartphones and tablets to their workers, it’s not a problem.  However, if they allow BYOD programs, then companies will have to find a way to ensure that employee devices are properly secured

Related Articles and Sites:
http://www.nj.com/politics/index.ssf/2015/01/hristie_signs_law_requiring_health_insurance_companies_to_encrypt_personal_information_to_protect_cu.html
http://www.njleg.state.nj.us/2014/Bills/S1000/562_R1.PDF
http://www.phiprivacy.net/christie-signs-law-requiring-health-insurance-companies-to-encrypt-personal-information/



Comments (0)


Let us know what you think