The government is naming names! Today the Office of Civil Rights, part of the Department of Health and Human Services, did what they they said all along that they will do – post the names of covered entities AND business associates who are involved in data breaches. The somewhat lengthly list provides an insight into the organizations involved in breaches of unsecured protected health information (PHI).
Protected Health Information (PHI) is a term used widely in HIPAA. PHI is information that can identify and individual, such as name, address, social security number, and clinical information about the individual. Part of the American Recovery and Reinvestment Act (ARRA) called the HITECH Act, section 13402, specifically requires a covered entity or business associate to notify HHS and the mass media of breaches of uprotected PHI involving more than 500 records. PHI that is encrypted is considered protected and, therefore, provides a safe harbor against breach notification.
Among those involved in the data breaches are hospitals, clinics, dentists, insurance companies, private medical practices (though it’s unclear as to why their names are being withheld), universities, state governments, and several Blue Cross Blue shield organizations.
More importantly, business associates – which are essentially service providers to covered entities – are not only listed but are named. Most of them are IT services providers to covered entities.
Data at rest appears to be the most common form of breach, most likely a result of lost laptops, backup tapes, and a seemingly missing server.
Data encryption provides a safe harbor against breach notification and should be implemented in places where PHI is stored.
Blue Cross Blue Shield of Tennessee customers will be receiving an explanation of the data breach incident, according to the Chattanooga Times Free Press.
“This week, BCBS will provide updated data to the public on exactly how many customers were exposed when 57 hard drives were pilfered in October from a storage closet at the insurer’s Eastgate Town Center branch, said company spokeswoman Mary Thompson. ‘We’ve reach a critical mass with our analysis of the information, and this week we think we can update the public,” Ms. Thompson said. “We’re going to be doing a really full breakdown of how many were potentially exposed.’”
BCBS goes on further to say that the data on the hard drives was “scrambled” in way that would make it difficult for others to access it. It remains to be see what “scrambled” really means.
“The purpose of this letter is to inform you of a matter involving an unencrypted portable computer disk drive was discovered missing from a Health Net office”.
What’s interesting about this sentence is that they use the term “unencrypted”. So the majority of the general public does not know what this term means. However, Health Net indirectly acknowledges that the drive should have been encrypted, and perhaps they will implement encryption in their company.
“A bill to protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach”
This bill essentially creates a nationwide breach notification law that requires companies who hold personal information notify people about the breach. In addition to breach notification, the bill also requires companies who store electronic personal information to establish proper security policies and establish a security policy coordinator. Personal information is defined as:
“an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:
(i) Social Security number.
(ii) Driver’s license number or other State identification number.
(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.”
The fines are steep and could be as high as $11,000 per violation up to $5,000,000.
Notification may happen via postal mail or e-mail (if e-mail is the primary communication method and if consent to communicate via e-mail was previously given).
The Bill provides an exemption from breach notification if encryption is used. However, it also mandates that the Federal Trade Commission explore other technologies and report back to Congress 270 days after enactment. With terminology like “renders data in electronic form unreadable or indecipherable” it’s unlikely that anything other than encryption would qualify :
“(A) ENCRYPTION- The encryption of data in electronic form shall establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the encryption has been or is reasonably likely to be compromised.
(B) ADDITIONAL METHODOLOGIES OR TECHNOLOGIES- Not later than 270 days after the date of the enactment of this Act, the Commission shall, by rule pursuant to section 553 of title 5, United States Code, identify any additional security methodology or technology, other than encryption, which renders data in electronic form unreadable or indecipherable, that shall, if applied to such data, establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that any such methodology or technology has been or is reasonably likely to be compromised. In promulgating such a rule, the Commission shall consult with relevant industries, consumer organizations, and data security and identity theft prevention experts and established standards setting bodies.”
Yes, folks. If you suffer a breach you will need to report it to HHS. Interestingly, the web site is hosted by the Center for Information Technology of the National Institute of Health.
In addition to Federal breach notification laws each state has its own breach notification law. We found a great cross reference resource for you to use in case you're wondering about the breach notification laws in your state.
Seems like it’s been a tough week for Verizon to try and prove their point about how encryption is unimportant to securing protected health information (PHI).
..
According to ModernHealthcare.com Peter Tippett, Vice President of Technology and Innovation and Chief Medical Officer, recently said “Encryption of data at rest in a database, for example, typically provides “no value” against a large majority of hacking and malicious code threats, and “end-user devices like PCs, laptops and PDAs” are “orders of magnitude less important targets in the real world than is perceived (and databases are several orders of magnitude more important than end-user devices).”
In addition, Tippett says current security standards and methods are “too complex, are based on dogma instead of science, are both ineffective and inefficient, and are too static.”
..
But facts and reality prove otherwise. The following RECENT breaches were revealed while Verizon is literally putting its head in the sand and marginalizing encryption (and all of them could have protected patient information had encryption been installed):
US Army loses hard drive with 60,000 with social security numbers and other personal information.
A laptop containing clinical information on 2,000 patients was stolen from the Guam Memorial Hospital.
And all this within 2 weeks! The fact is that data in use, like data at rest, and data in motion needs to be encrypted if it contains protected health information.
Health Net, a Woodland Hills, California-based managed healthcare provider realized that a missing hard drive contained protected health information (PHI). It affected 1.5 million customers, and 466,000 in Connecticut alone.
“The company reported the breach Wednesday to State Attorneys Generals offices in Arizona, Connecticut, New Jersey and New York. Health Net said it was beginning the data security breach notification process of sending out letters to its customers. The company said it expects to send notification
Connecticut Attorney General Richard Blumenthal comments: “My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long,” Blumenthal said in a statement. “The company’s failure to safeguard such sensitive information and inform consumers of its loss — leaving them naked to identity theft — may have violated state and federal laws.”
Although disk encryption could not have prevented the drive from being lost it certainly could have prevented unsecured protected health information from being accessible to unauthorized individuals. Federal breach notification rules under HIPAA/ARRA/HITECH Act took effect in September, 2009, but will be start being enforced until February, 2010.
There has been much debate about security of endpoint devices like tablet PCs, desktops, and laptops where web-based EMR packages are used. There is a potential false sense of security by assuming that just because an EMR or PMR app is web-based then data at rest encryption, like whole disk encryption, is not required since no local data is stored. However, consider these possible scenarios:
- Protected health information (PHI) is exported from an EMR, practice management, or even an accounting app and is stored locally in a text file or a Microsoft Office document.
- If you use mainframes and use terminal emulators a user could do a “print screen” to save the image locally.
- E-mail attachments containing PHI could be saved locally.
- Web browser temp and cookie files could contain clues about how data is accessed and retrieved.
- E-mail clients that have a local store could be used. The local store, like a personal folder file (.pst) file in Microsoft Outlook, could contain PHI. Also, in a Microsoft Exchange environment the end user could inadvertently enable the AutoArchive feature where older content is stored locally on the computer in a .pst file.
“Facilities can opt to encrypt parts of their IT system, but full-disk encryption ensures the organization is covered in the event of a breach. “Temporary files created by various applications, the operating system swap file and hidden partitions may contain sensitive data,” said Daniela Crivianu-Gaita, chief information officer at The Hospital for Sick Children, Toronto. “Full-disk encryption is the only approach that assures all the data on the local hard disks is encrypted.”
The point is that just because the EMR or other app that is web-based is used in you environment it doesn’t meant that data at rest protection should be ignored. Installing whole disk encryption to protect data at rest could provide peace of mind and protection against unwanted breach notification should that device be lost or stolen. With the strict enforcement of breach notification rules coming to fruition in February, 2010 it’s better to be safe then sorry by implementing encryption as specified in the HITECH Act within ARRA.
In a strongly-worded letter sent and signed by six congressmen to HHS SecretaryKathleen Sebelius the message was clear: remove the harm assessment that lawmakers rejected when writing the privacy regulations into ARRA. The harm standard essentially says that in case of a breach the covered entity must make an assessment of whether or not the breach can cause reputational, financial, and other types of harm. This leaves open the possibility that a covered entity could decide to act in its own interest and make the decision not to follow the directives written into the breach notification ruling.
..
There are, of course, two sides of the sword. On one hand it’s difficult to enforce a policy with subjective elements present, such as the harm assessment. It is unlikely that a covered entity would risk the substantial fines, now as high as $1.5 million, and the possibility of criminal prosecution to avoid notification in case a serious breach occurs. However, the harm assessment leaves that possibility open.
..
A drawback to removing the harm assessment is that it is possible that, ironically, that too many breach notifications are sent to people, thereby creating a “boy that cries wolf” effect. In a perfect world breaches would never happen, so there would not need to be a reason to notify people. However, we all know that not to be the reality. Breaches do occur, intentional or not. And people need to be notified as soon as possible. Should covered entities be given the privilege of deciding the severity of the harm and potentially choosing not to notify people? We shall see the next steps Congress and HHS will take.
Copyright 2009 - Experior Data Security and Encryption - No parts of the content herein may be copied or reproduced without permission www.experiordata.comwww.arra13402.com
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=4fecc401-3b32-4a29-8198-433ff04590b5)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=cd3a1dda-e3d4-45d3-8e21-9ed369781203)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=edf1062b-fc9f-4ed9-9b7f-d82f9a2a66ba)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=ddb01d91-1efe-4f93-ba81-d409929f5e90)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=ceeb7a49-78eb-4910-bb8f-dc57a91f3616)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=d8317ec0-b99d-4d68-b2de-7fdfcd765465)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=f109c045-b7ee-4c5f-b033-6660b8cf7572)
