Protected Health Information (PHI) is a term used widely in HIPAA. PHI is information that can identify and individual, such as name, address, social security number, and clinical information about the individual. Part of the American Recovery and Reinvestment Act (ARRA) called the HITECH Act, section 13402, specifically requires a covered entity or business associate to notify HHS and the mass media of breaches of uprotected PHI involving more than 500 records. PHI that is encrypted is considered protected and, therefore, provides a safe harbor against breach notification.

Among those involved in the data breaches are hospitals, clinics, dentists, insurance companies, private medical practices (though it’s unclear as to why their names are being withheld), universities, state governments, and several Blue Cross Blue shield organizations.

More importantly, business associates – which are essentially service providers to covered entities – are not only listed but are named. Most of them are IT services providers to covered entities.

Data at rest appears to be the most common form of breach, most likely a result of lost laptops, backup tapes, and a seemingly missing server.

Data encryption provides a safe harbor against breach notification and should be implemented in places where PHI is stored.

BCBS goes on further to say that the data on the hard drives was “scrambled” in way that would make it difficult for others to access it. It remains to be see what “scrambled” really means.

As Alanis Morrissette would say “And isn’t it ironic … don’t you think”. A relative just received a breach notification letter from from Health Net.

Some wording we find interesting:

“The purpose of this letter is to inform you of a matter involving an unencrypted portable computer disk drive was discovered missing from a Health Net office”.

What’s interesting about this sentence is that they use the term “unencrypted”. So the majority of the general public does not know what this term means. However, Health Net indirectly acknowledges that the drive should have been encrypted, and perhaps they will implement encryption in their company.

Related articles by Zemanta

• Kindle users bypass copy protection and regional restrictions (geeksaresexy.net)

The House of Representatives passed the Data Accountability and Trust Act  (HR 2221) today:

“A bill to protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach”

This bill essentially creates a nationwide breach notification law that requires companies who hold personal information notify people about the breach. In addition to breach notification, the bill also requires companies who store electronic personal information to establish proper security policies and establish a security policy coordinator. Personal information is defined as:

“an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:

(i) Social Security number.

(ii) Driver’s license number or other State identification number.

(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.”

The fines are steep and could be as high as $11,000 per violation up to $5,000,000.

Notification may happen via postal mail or e-mail (if e-mail is the primary communication method and if consent to communicate via e-mail was previously given).

The Bill provides an exemption from breach notification if encryption is used. However, it also mandates that the Federal Trade Commission explore other technologies and report back to Congress 270 days after enactment. With terminology like “renders data in electronic form unreadable or indecipherable” it’s unlikely that anything other than encryption would qualify :

“(A) ENCRYPTION- The encryption of data in electronic form shall establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the encryption has been or is reasonably likely to be compromised.

(B) ADDITIONAL METHODOLOGIES OR TECHNOLOGIES- Not later than 270 days after the date of the enactment of this Act, the Commission shall, by rule pursuant to section 553 of title 5, United States Code, identify any additional security methodology or technology, other than encryption, which renders data in electronic form unreadable or indecipherable, that shall, if applied to such data, establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that any such methodology or technology has been or is reasonably likely to be compromised. In promulgating such a rule, the Commission shall consult with relevant industries, consumer organizations, and data security and identity theft prevention experts and established standards setting bodies.”

Related articles by Zemanta

• Learn These Helpful Ways to Reduce Your Risk of Identity Theft (lanechase.net)
• Health Net healthcare data breach affects1.5 million (deurainfosec.com)
• Identity Theft – Do You Know What it Means to Your Financial Security? (lanechase.net)

Yes, we have found the one web site we hope you never have to visit – even the name is enough to give us the chills: Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information. Even the URL is eerily blunt: http://transparency.cit.nih.gov.

Yes, folks. If you suffer a breach you will need to report it to HHS. Interestingly, the web site is hosted by the Center for Information Technology of the National Institute of Health.

Law Blog 2.0 – Summary of 50 State Security Breach Notification Laws (scroll down to see the map)

Code: H3MQYQC7J26W

..

According to ModernHealthcare.com Peter Tippett, Vice President of Technology and Innovation and Chief Medical Officer, recently said  “Encryption of data at rest in a database, for example, typically provides “no value” against a large majority of hacking and malicious code threats, and “end-user devices like PCs, laptops and PDAs” are “orders of magnitude less important targets in the real world than is perceived (and databases are several orders of magnitude more important than end-user devices).”

In addition, Tippett says  current security standards and methods are “too complex, are based on dogma instead of science, are both ineffective and inefficient, and are too static.”

..

But facts and reality prove otherwise. The following RECENT breaches were revealed while Verizon is literally putting its head in the sand and marginalizing encryption  (and all of them could have protected patient information had encryption been installed):

• 68 Computer hard drives belonging to Blue Cross Blue Shield “walked out” of a datacenter, along with social security numbers and other information belonging to 2 million clients.
• HealthNet loses an external hard drive with personal financial and medical information belonging to 1.5 million clients.
• US Army loses hard drive with 60,000 with social security numbers and other personal information.
• A laptop containing clinical information on 2,000 patients was stolen from the Guam Memorial Hospital.

And all this within 2 weeks! The fact is that data in use, like data at rest, and data in motion needs to be encrypted if it contains protected health information.

..

Related articles by Zemanta

• Blue Cross Blue Shield Data Breach Investigation Extends Credit Protection for Providers to 2 Years (ducknetweb.blogspot.com)
• Health Net Data Breach – 1.5 Million Records At Risk With Missing Portable Hard Drive (ducknetweb.blogspot.com)
• Laptop Heist Exposes Doctors’ Personal Data (deurainfosec.com)
• Blue Cross Physicians Warning – Potential Data Breach With Stolen Laptop Computer (ducknetweb.blogspot.com)
• From the Hospital Room to Bankruptcy Court (nytimes.com)
• A member of Blue Cross Blue Shield comes over to the side of the people (iflizwerequeen.com)

Health Net, a Woodland Hills, California-based managed healthcare provider realized that a missing hard drive contained protected health information (PHI). It affected 1.5 million customers, and 466,000 in Connecticut alone.

“The company reported the breach Wednesday to State Attorneys Generals offices in Arizona, Connecticut, New Jersey and New York. Health Net said it was beginning the data security breach notification process of sending out letters to its customers. The company said it expects to send notification

letters the week of Nov. 30.”, according to a SearchSecurity News article.

Connecticut Attorney General Richard Blumenthal comments: “My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long,” Blumenthal said in a statement. “The company’s failure to safeguard such sensitive information and inform consumers of its loss — leaving them naked to identity theft — may have violated state and federal laws.”

Although disk encryption could not have prevented the drive from being lost it certainly could have prevented unsecured protected health information from being accessible to unauthorized individuals. Federal breach notification rules under HIPAA/ARRA/HITECH Act took effect in September, 2009, but will be start being enforced until February, 2010.

Related articles by Zemanta

• Hacker Pleads Guilty in Vast Theft of Card Numbers (nytimes.com)
• NJ man indicted in Web name theft, sale on eBay (seattletimes.nwsource.com)
• Man pleads guilty in massive ID theft case (cnn.com)
• Plea deal reached in huge credit-card data theft (cnn.com)
• TJX Hacker Agrees to Guilty Plea; Faces 15 to 25 Years (wired.com)
• Identity theft: Three accused over biggest bank card scam in US history (telegraph.co.uk)
• Health Net healthcare data breach affects1.5 million (deurainfosec.com)
• Health Insurer Loses 1.5 Million Patient Records (wired.com)
• Health Net Data Breach – 1.5 Million Records At Risk With Missing Portable Hard Drive (ducknetweb.blogspot.com)

There has been much debate about security of endpoint devices like tablet PCs, desktops, and laptops where web-based EMR packages are used. There is a potential false sense of security by assuming that just because an EMR or PMR app is web-based then data at rest encryption, like whole disk encryption, is not required since no local data is stored. However, consider these possible scenarios:

- Protected health information (PHI) is exported from an EMR, practice management, or even an accounting  app and is stored locally in a text file or a Microsoft Office document.

- If you use mainframes and use terminal emulators a user could do a “print screen” to save the image locally.

- E-mail attachments containing PHI could be saved locally.

- Web browser temp and cookie files could contain clues about how data is accessed and retrieved.

- E-mail clients that have a local store could be used. The  local store, like a personal folder file (.pst) file in Microsoft Outlook, could contain PHI. Also, in a Microsoft Exchange environment the end user could inadvertently enable the AutoArchive feature where older content is stored locally on the computer in a .pst file.

In a recent Advance for HIM article entitled “Are you Secured”, Daniela Crivianu-Gaita, chief information officer at The Hospital for Sick Children, Toronto. writes:

“Facilities can opt to encrypt parts of their IT system, but full-disk encryption ensures the organization is covered in the event of a breach. “Temporary files created by various applications, the operating system swap file and hidden partitions may contain sensitive data,” said Daniela Crivianu-Gaita, chief information officer at The Hospital for Sick Children, Toronto. “Full-disk encryption is the only approach that assures all the data on the local hard disks is encrypted.”

The point is that just because the EMR or other app that is web-based is used in you environment it doesn’t meant that data at rest protection should be ignored. Installing whole disk encryption to protect data at rest could provide peace of mind and protection against unwanted breach notification should that device be lost or stolen. With the strict enforcement of breach notification rules coming to fruition in February, 2010 it’s better to be safe then sorry by implementing encryption as specified in the HITECH Act within ARRA.

Related articles by Zemanta

• Encrypt EHR – Else HIPAA Violations Need Be Reported To Government & Media (docinthemachine.com)

In a strongly-worded letter sent and signed by six congressmen to HHS Secretary Kathleen Sebelius the message was clear: remove the harm assessment that lawmakers rejected when writing the privacy regulations into ARRA. The harm standard essentially says that in case of a breach the covered entity must make an assessment of whether or not the breach can cause reputational, financial, and other types of harm.  This leaves open the possibility that a covered entity could decide to act in its own interest and make the decision not to follow the directives written into the breach notification ruling.

..

There are, of course, two sides of the sword. On one hand it’s difficult to enforce a policy with subjective elements present, such as the harm assessment. It is unlikely that a covered entity would risk the substantial fines, now as high as $1.5 million, and the possibility of criminal prosecution to avoid notification in case a serious breach occurs. However, the harm assessment leaves that possibility open.

..

A drawback to removing the harm assessment is that it is possible that, ironically, that too many breach notifications are sent to people, thereby creating a “boy that cries wolf” effect. In a perfect world breaches would never happen, so there would not need to be a reason to notify people. However, we all know that not to be the reality. Breaches do occur, intentional or not. And people need to be notified as soon as possible. Should covered entities be given the privilege of deciding the severity of the harm and potentially choosing not to notify people? We shall see the next steps Congress and HHS will take.