We will be tweeting live from the NIST HIPAA security conference on 5/11 and 5/12. If you use twitter we will be using the #NISTHIPAA hashtag. To see our tweets you  can go to search.twitter.com and search for #NISTHIPAA after 9:30 am. You can also follow @experiordata

Protected Health Information (PHI) is a term used widely in HIPAA. PHI is information that can identify and individual, such as name, address, social security number, and clinical information about the individual. Part of the American Recovery and Reinvestment Act (ARRA) called the HITECH Act, section 13402, specifically requires a covered entity or business associate to notify HHS and the mass media of breaches of uprotected PHI involving more than 500 records. PHI that is encrypted is considered protected and, therefore, provides a safe harbor against breach notification.

Among those involved in the data breaches are hospitals, clinics, dentists, insurance companies, private medical practices (though it’s unclear as to why their names are being withheld), universities, state governments, and several Blue Cross Blue shield organizations.

More importantly, business associates – which are essentially service providers to covered entities – are not only listed but are named. Most of them are IT services providers to covered entities.

Data at rest appears to be the most common form of breach, most likely a result of lost laptops, backup tapes, and a seemingly missing server.

Data encryption provides a safe harbor against breach notification and should be implemented in places where PHI is stored.

Customers can now use PGP Universal Server to centrally manage encryption for their multi-platform environment. A single web-based user interface can be used to manage encryption end points using Microsoft Windows, Apple Mac, Red Hat Linux, and Ubuntu Linux. PGP is the only encryption vendor that delivers encryption solutions across multiple platforms. Multi-platform support is especially important with the popularity of netbooks, and the forthcoming Apple tablet device, which is reported to be using the Mac OSX operating system.

PGP also added functionality for e-mail encryption in Microsoft Outlook. Using Microsoft Outlook users can now click “sign and encrypt” buttons to automatically encrypt emails.

Experior Data is a PGP SILVER Partner and helps organizations implement data encryption solutions.

More information about these new releases is available on the PGP web site.

According to the Initial Set of Standards for Electronic Health Records patients must be provided with their health information (most certainly protected health information -PHI- under HIPAA) electronically and securely within 96 hours.

How to Secure Health Records

You may be wondering how can patient information be secured. The best way to secure information is by encrypting the media. However, note that patients must be able to decrypt the information on their own computer equipment. One of the product Experior Data implements is called PGP Portable. For example, the patient provides a USB drive for you to copy the PHI onto it. PGP Portable encrypts the entire USB device after the information is copied to it. The patient must provide a passphrase during the encryption process. When the patient goes home he/she inserts the USB drive into their home computer and is prompted for the passphrase. After the passphrase is entered access to the patient information is provided.

Related articles by Zemanta

• HIEs are Beginning to Link Patients Directly to their Own Health Data (projecthealthdesign.typepad.com)
• Pushing ONC to Act on Consumer’s Behalf (chilmarkresearch.com)
• Medfusion Maintains Leadership in Patient Portal Performance (medicineandtechnology.com)
• How to Get $20 Billion for Using Electronic Medical Records (blogs.wsj.com)

Not a good day for our friends in Canada. Apparently, a nurse from a health clinic in a Toronto area clinic copied health information for 83,000 people to a USB drive..and subsequently lost the drive. Not good.

“A health department nurse was taking a USB key containing the records to her car in Whitby, Ont., to take it to a remote clinic site on Dec. 15 when the device was lost. A search failed to turn it up.

“We believe it was lost on regional property. We have some video surveillance tape data to indicate that was the case,” said Dr. Robert Kyle, chief medical officer of health for Durham Region.

The privacy commission office was advised Monday by the Durham Region health department that the device was missing, said spokesman Bob Spence.

The USB key contained the names, addresses, phone numbers, dates of birth and health card numbers of patients who attended H1N1 flu vaccination clinics in the region between Oct. 23 and Dec. 15.”

View the full The Canadian Press article

Related articles by Zemanta

• Health records of thousands lost in Durham (healthzone.ca)
• Thousands of health records lost in Durham (cbc.ca)
• Over 80,000 Ontario health records missing (nationalpost.com)

As Alanis Morrissette would say “And isn’t it ironic … don’t you think”. A relative just received a breach notification letter from from Health Net.

Some wording we find interesting:

“The purpose of this letter is to inform you of a matter involving an unencrypted portable computer disk drive was discovered missing from a Health Net office”.

What’s interesting about this sentence is that they use the term “unencrypted”. So the majority of the general public does not know what this term means. However, Health Net indirectly acknowledges that the drive should have been encrypted, and perhaps they will implement encryption in their company.

Related articles by Zemanta

• Kindle users bypass copy protection and regional restrictions (geeksaresexy.net)

..

According to ModernHealthcare.com Peter Tippett, Vice President of Technology and Innovation and Chief Medical Officer, recently said  “Encryption of data at rest in a database, for example, typically provides “no value” against a large majority of hacking and malicious code threats, and “end-user devices like PCs, laptops and PDAs” are “orders of magnitude less important targets in the real world than is perceived (and databases are several orders of magnitude more important than end-user devices).”

In addition, Tippett says  current security standards and methods are “too complex, are based on dogma instead of science, are both ineffective and inefficient, and are too static.”

..

But facts and reality prove otherwise. The following RECENT breaches were revealed while Verizon is literally putting its head in the sand and marginalizing encryption  (and all of them could have protected patient information had encryption been installed):

• 68 Computer hard drives belonging to Blue Cross Blue Shield “walked out” of a datacenter, along with social security numbers and other information belonging to 2 million clients.
• HealthNet loses an external hard drive with personal financial and medical information belonging to 1.5 million clients.
• US Army loses hard drive with 60,000 with social security numbers and other personal information.
• A laptop containing clinical information on 2,000 patients was stolen from the Guam Memorial Hospital.

And all this within 2 weeks! The fact is that data in use, like data at rest, and data in motion needs to be encrypted if it contains protected health information.

..

Related articles by Zemanta

• Blue Cross Blue Shield Data Breach Investigation Extends Credit Protection for Providers to 2 Years (ducknetweb.blogspot.com)
• Health Net Data Breach – 1.5 Million Records At Risk With Missing Portable Hard Drive (ducknetweb.blogspot.com)
• Laptop Heist Exposes Doctors’ Personal Data (deurainfosec.com)
• Blue Cross Physicians Warning – Potential Data Breach With Stolen Laptop Computer (ducknetweb.blogspot.com)
• From the Hospital Room to Bankruptcy Court (nytimes.com)
• A member of Blue Cross Blue Shield comes over to the side of the people (iflizwerequeen.com)

There has been much debate about security of endpoint devices like tablet PCs, desktops, and laptops where web-based EMR packages are used. There is a potential false sense of security by assuming that just because an EMR or PMR app is web-based then data at rest encryption, like whole disk encryption, is not required since no local data is stored. However, consider these possible scenarios:

- Protected health information (PHI) is exported from an EMR, practice management, or even an accounting  app and is stored locally in a text file or a Microsoft Office document.

- If you use mainframes and use terminal emulators a user could do a “print screen” to save the image locally.

- E-mail attachments containing PHI could be saved locally.

- Web browser temp and cookie files could contain clues about how data is accessed and retrieved.

- E-mail clients that have a local store could be used. The  local store, like a personal folder file (.pst) file in Microsoft Outlook, could contain PHI. Also, in a Microsoft Exchange environment the end user could inadvertently enable the AutoArchive feature where older content is stored locally on the computer in a .pst file.

In a recent Advance for HIM article entitled “Are you Secured”, Daniela Crivianu-Gaita, chief information officer at The Hospital for Sick Children, Toronto. writes:

“Facilities can opt to encrypt parts of their IT system, but full-disk encryption ensures the organization is covered in the event of a breach. “Temporary files created by various applications, the operating system swap file and hidden partitions may contain sensitive data,” said Daniela Crivianu-Gaita, chief information officer at The Hospital for Sick Children, Toronto. “Full-disk encryption is the only approach that assures all the data on the local hard disks is encrypted.”

The point is that just because the EMR or other app that is web-based is used in you environment it doesn’t meant that data at rest protection should be ignored. Installing whole disk encryption to protect data at rest could provide peace of mind and protection against unwanted breach notification should that device be lost or stolen. With the strict enforcement of breach notification rules coming to fruition in February, 2010 it’s better to be safe then sorry by implementing encryption as specified in the HITECH Act within ARRA.

Related articles by Zemanta

• Encrypt EHR – Else HIPAA Violations Need Be Reported To Government & Media (docinthemachine.com)

BitLocker, Microsoft’s disk encryption technology that comes with Windows 7 Ultimate, can throw the system admin into a boondogle. Sure it’s easy to just use what is “in the box” and call it a day. However, be prepared for a long…very long day in getting BitLocker deployed and managed.

..

Microsoft has traditionally added feature after feature to their products. But that doesn’t necessarily mean you have to use them (or actually, should use them). Before we discuss BitLocker think of the last time someone used the e-mail server that comes with Windows Server 2003 (yes, it really does come with a basic POP3 server). Ok, give up? That’s probably because most of the corporate world uses Microsoft Exchange. How about using Windows Servers as internet firewalls. Possible? Yes. Practical? No. Microsoft adds these features to help sell the core product. The can say “well, you don’t need a mail server. Server 2003 has one built-in”, even though we all know that the only purpose for it is to use it in some lab.

..

And here comes BitLocker. Yes, it can encrypt hard drives. Yes, it can encrypt USB flash drives. But before you pay the extra $19.99 per user for your corporate Windows 7 deployment first consider these limitations and facts about how BitLocker is deployed:

..

• BIOS must be compatible with TPM version 1.2 and support USB device boot
• Requires TPM chip
• Requires TPM management snap-in configuration to save encryption key to a USB device
• TPM PIN management (help desk must maintain a list of TPM PINs in case user forgets)
• No complexity or content rules available for TPM PIN
• No single sign-on (TPM PIN not related to AD auth info)
• Admin rights needed to perform initial encryption
• Requires management of TPM “owner passwords”
• Requires you to maintain recovery keys that match Bitlocker keys created on each computer
• Requires Active Directory Schema extensions to be installed on 2003 and 2008 servers (don’t you love “extending the schema”?)
  
• Recovery options require a TPM PIN
• No centralized reporting
• Policies managed by GPOs (because they’re so easy to manage now)
  
• No separating of duties – recovery codes stored in AD, propogated to all DCs.
• No support for smart cards or tokens at pre-boot (cold boot and firewire-method HD attacks come to mind)
  
• For USB encryption – recovery keys are not managed centrally – give user ability to “print out” recovery key or store it elsewhere in a file (no key management)
• USB encryption -> not possible to write to non-Windows 7 machines once encrypted with Windows 7

..

So after all the time you’ve spent just to get this far you now have an encryption system that is only Windows 7 specific. Are your legacy XP clients encrypted? No. The Macs in the marketing department? No. The Linux devices in development? No. Use a smart card or token at pre-boot? No.  Can you write to USB drives encrypted with Win 7 on non-Win 7 machines? No. Are there separation of duties? Nope.

..

Before rolling out BitLocker take into consideration not only the software limitations but also the time involved to learn the infrastructure needed to deploy it properly. Create a lab with several PCs and a server and  do real-world testing and see for yourself. BitLocker can be a great tool for personal use, or in a very small business (under 15 users). But beyond that…beware of the boondoggle.

Related articles by Zemanta

• Anti-filesharing laws revive crypto fears for spooks (theregister.co.uk)