Seems like it’s been a tough week for Verizon to try and prove their point about how encryption is unimportant to securing protected health information (PHI).
..
According to ModernHealthcare.com Peter Tippett, Vice President of Technology and Innovation and Chief Medical Officer, recently said “Encryption of data at rest in a database, for example, typically provides “no value” against a large majority of hacking and malicious code threats, and “end-user devices like PCs, laptops and PDAs” are “orders of magnitude less important targets in the real world than is perceived (and databases are several orders of magnitude more important than end-user devices).”
In addition, Tippett says current security standards and methods are “too complex, are based on dogma instead of science, are both ineffective and inefficient, and are too static.”
..
But facts and reality prove otherwise. The following RECENT breaches were revealed while Verizon is literally putting its head in the sand and marginalizing encryption (and all of them could have protected patient information had encryption been installed):
US Army loses hard drive with 60,000 with social security numbers and other personal information.
A laptop containing clinical information on 2,000 patients was stolen from the Guam Memorial Hospital.
And all this within 2 weeks! The fact is that data in use, like data at rest, and data in motion needs to be encrypted if it contains protected health information.
Health Net, a Woodland Hills, California-based managed healthcare provider realized that a missing hard drive contained protected health information (PHI). It affected 1.5 million customers, and 466,000 in Connecticut alone.
“The company reported the breach Wednesday to State Attorneys Generals offices in Arizona, Connecticut, New Jersey and New York. Health Net said it was beginning the data security breach notification process of sending out letters to its customers. The company said it expects to send notification
Connecticut Attorney General Richard Blumenthal comments: “My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long,” Blumenthal said in a statement. “The company’s failure to safeguard such sensitive information and inform consumers of its loss — leaving them naked to identity theft — may have violated state and federal laws.”
Although disk encryption could not have prevented the drive from being lost it certainly could have prevented unsecured protected health information from being accessible to unauthorized individuals. Federal breach notification rules under HIPAA/ARRA/HITECH Act took effect in September, 2009, but will be start being enforced until February, 2010.
There has been much debate about security of endpoint devices like tablet PCs, desktops, and laptops where web-based EMR packages are used. There is a potential false sense of security by assuming that just because an EMR or PMR app is web-based then data at rest encryption, like whole disk encryption, is not required since no local data is stored. However, consider these possible scenarios:
- Protected health information (PHI) is exported from an EMR, practice management, or even an accounting app and is stored locally in a text file or a Microsoft Office document.
- If you use mainframes and use terminal emulators a user could do a “print screen” to save the image locally.
- E-mail attachments containing PHI could be saved locally.
- Web browser temp and cookie files could contain clues about how data is accessed and retrieved.
- E-mail clients that have a local store could be used. The local store, like a personal folder file (.pst) file in Microsoft Outlook, could contain PHI. Also, in a Microsoft Exchange environment the end user could inadvertently enable the AutoArchive feature where older content is stored locally on the computer in a .pst file.
“Facilities can opt to encrypt parts of their IT system, but full-disk encryption ensures the organization is covered in the event of a breach. “Temporary files created by various applications, the operating system swap file and hidden partitions may contain sensitive data,” said Daniela Crivianu-Gaita, chief information officer at The Hospital for Sick Children, Toronto. “Full-disk encryption is the only approach that assures all the data on the local hard disks is encrypted.”
The point is that just because the EMR or other app that is web-based is used in you environment it doesn’t meant that data at rest protection should be ignored. Installing whole disk encryption to protect data at rest could provide peace of mind and protection against unwanted breach notification should that device be lost or stolen. With the strict enforcement of breach notification rules coming to fruition in February, 2010 it’s better to be safe then sorry by implementing encryption as specified in the HITECH Act within ARRA.
BitLocker, Microsoft‘s disk encryption technology that comes with Windows 7 Ultimate, can throw the system admin into a boondogle. Sure it’s easy to just use what is “in the box” and call it a day. However, be prepared for a long…very long day in getting BitLocker deployed and managed.
..
Microsoft has traditionally added feature after feature to their products. But that doesn’t necessarily mean you have to use them (or actually, should use them). Before we discuss BitLocker think of the last time someone used the e-mail server that comes with Windows Server 2003 (yes, it really does come with a basic POP3 server). Ok, give up? That’s probably because most of the corporate world uses Microsoft Exchange. How about using Windows Servers as internet firewalls. Possible? Yes. Practical? No. Microsoft adds these features to help sell the core product. The can say “well, you don’t need a mail server. Server 2003 has one built-in”, even though we all know that the only purpose for it is to use it in some lab.
And here comes BitLocker. Yes, it can encrypt hard drives. Yes, it can encrypt USB flash drives. But before you pay the extra $19.99 per user for your corporate Windows 7 deployment first consider these limitations and facts about how BitLocker is deployed:
..
BIOS must be compatible with TPM version 1.2 and support USB device boot
Requires TPM chip
Requires TPM management snap-in configuration to save encryption key to a USB device
TPM PIN management (help desk must maintain a list of TPM PINs in case user forgets)
No complexity or content rules available for TPM PIN
No single sign-on (TPM PIN not related to AD auth info)
Admin rights needed to perform initial encryption
Requires management of TPM “owner passwords”
Requires you to maintain recovery keys that match Bitlocker keys created on each computer
Requires Active Directory Schema extensions to be installed on 2003 and 2008 servers (don’t you love “extending the schema”?)
Recovery options require a TPM PIN
No centralized reporting
Policies managed by GPOs (because they’re so easy to manage now)
No separating of duties – recovery codes stored in AD, propogated to all DCs.
No support for smart cards or tokens at pre-boot (cold boot and firewire-method HD attacks come to mind)
For USB encryption – recovery keys are not managed centrally – give user ability to “print out” recovery key or store it elsewhere in a file (no key management)
USB encryption -> not possible to write to non-Windows 7 machines once encrypted with Windows 7
..
So after all the time you’ve spent just to get this far you now have an encryption system that is only Windows 7 specific. Are your legacy XP clients encrypted? No. The Macs in the marketing department? No. The Linux devices in development? No. Use a smart card or token at pre-boot? No. Can you write to USB drives encrypted with Win 7 on non-Win 7 machines? No. Are there separation of duties? Nope.
..
Before rolling out BitLocker take into consideration not only the software limitations but also the time involved to learn the infrastructure needed to deploy it properly. Create a lab with several PCs and a server and do real-world testing and see for yourself. BitLocker can be a great tool for personal use, or in a very small business (under 15 users). But beyond that…beware of the boondoggle.
“On October 30, 2009, the Department of Health and Human Services (HHS) issued an interim final rule pertaining to the enforcement provisions of the HI-TECH Act. The final rule serves to conform HIPAA’s enforcement regulations to the revisions to the HIPAA statutes made by the HI-TECH Act.”
…
This is the government’s way of saying “we’re made a rule, and we are now going to enforce it”. The enforcement ruling is an indicative of the federal government’s interest in protecting the privacy and identity of patients. As patient records get converted from paper to electronic security has become a very important part of the healthcare IT ecosystem.
..
Bricker and Echler, LLC go on further to say “The HI-TECH Act significantly increased the penalty amounts for HIPAA violations, as reflected in the final rule. Covered entities should understand the financial risks associated with HIPAA non-compliance and the changes to the available affirmative defenses. It is critical to have an effective HIPAA compliance program to avoid HIPAA violations and to identify and correct HIPAA violations in a timely manner, which can shield the organization from substantial financial penalties”
Copyright 2008-2011 - Experior Data Security and Encryption - No parts of the content herein may be copied or reproduced without permission www.experiordata.com
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=ddb01d91-1efe-4f93-ba81-d409929f5e90)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=ceeb7a49-78eb-4910-bb8f-dc57a91f3616)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=d8317ec0-b99d-4d68-b2de-7fdfcd765465)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=0f8109dd-4181-4d3b-a3fb-759163ab8308)
