Penn Medicine has revealed this past week that a laptop computer with protected health information (PHI) was stolen on November 30. While the details are meager (aside from a short entry at philly.com, which is referenced by databreaches.net, an online search comes up empty), the following was revealed:
- About 1000 people were affected.
- The laptop was stolen from a car at a parking lot.
- Breached information includes “patient names, birth dates, medical records, account numbers, and some other demographic and medical information.”
- It does not include “Social Security numbers, credit card or bank account information, patient addresses or telephone numbers stolen.”
Penn Medicine promised to review procedures to ensure that patient information is protected on portable devices.
What is This, 2009?
In an age when breaches can – and do – involve tens of millions of people, Penn Medicine’s data breach almost feels quaint. And, yet, that’s why it’s also not so easy to forgive.
Consider servers with massive amounts of data that are hooked up to the web, and thus, “hackable” by anyone with a decent internet connection, in both theory and practice. Indeed, a small group of network and security professionals are exploring the build-out of a separate, “better” (better secured?) internet, seeing how our current global communications web will be forever playing security catch-up to the bad guys.
So, even if millions of people are affected by a breach, it’s “understandable:” it shouldn’t be happening, and we feel outraged when it happens, and lawsuits are going to be filed left and right, but we get it: there’s very little that can be done unless we redesign everything.
But when it comes to an individual laptop computer, there is a proven method of ensuring that its contents as a result of a burglary. It’s the same method that led to the Apple vs. FBI face-off two years ago: full disk encryption. It’s a very well established technology that’s been around forever.
Indeed, most hospitals, clinics, and medical practices routinely use full disk encryption to protect not only their laptops but also their desktop computers, which have been proven less than immune from theft. And, larger organizations have been more aggressive and thorough than smaller concerns, not in small part due to lawsuits brought by the federal government.
For example, BlueCross BlueShield of Tennessee knows that they should encrypt any hard drives that are used to store phone call recordings, an insight they obtained after being embroiled in what was one of the largest data breaches in history at the time.
This lesson was learned in 2009.
So, when one reads, in 2018, that one of the bigger hospitals in the US is looking to review their procedures to ensure that patient information is protected on portable devices… it sounds tone-deaf. Technically, as a HIPAA covered-entity, they should be doing this periodically or whenever security conditions change.
Related Articles and Sites: