We will be tweeting live from the NIST HIPAA security conference on 5/11 and 5/12. If you use twitter we will be using the #NISTHIPAA hashtag. To see our tweets you can go to search.twitter.com and search for #NISTHIPAA after 9:30 am. You can also follow @experiordata
The government is naming names! Today the Office of Civil Rights, part of the Department of Health and Human Services, did what they they said all along that they will do – post the names of covered entities AND business associates who are involved in data breaches. The somewhat lengthly list provides an insight into the organizations involved in breaches of unsecured protected health information (PHI).
Protected Health Information (PHI) is a term used widely in HIPAA. PHI is information that can identify and individual, such as name, address, social security number, and clinical information about the individual. Part of the American Recovery and Reinvestment Act (ARRA) called the HITECH Act, section 13402, specifically requires a covered entity or business associate to notify HHS and the mass media of breaches of uprotected PHI involving more than 500 records. PHI that is encrypted is considered protected and, therefore, provides a safe harbor against breach notification.
Among those involved in the data breaches are hospitals, clinics, dentists, insurance companies, private medical practices (though it’s unclear as to why their names are being withheld), universities, state governments, and several Blue Cross Blue shield organizations.
More importantly, business associates – which are essentially service providers to covered entities – are not only listed but are named. Most of them are IT services providers to covered entities.
Data at rest appears to be the most common form of breach, most likely a result of lost laptops, backup tapes, and a seemingly missing server.
Data encryption provides a safe harbor against breach notification and should be implemented in places where PHI is stored.
Beginning on February 18, HHS will have the legal authority to enforce the breach notification laws set forth last year as part of section 13402 of the HITECH Act, within the American Recovery & Reinvestment Act (ARRA). The penalties can now be up to $1.5 million and require media notification in cases where 500 or more records are breached. Business associates, as well as covered entities, must now comply with the HITECH Act breach notification rule (which essentially makes modifications to the HIPAA Security Rule).
Perform an extensive security review and indentify where electronic protected health information (PHI or ePHI) resides on your IT systems.
Create a plan on protecting PHI.
Data encryption provides a safe harbor from breach notification. Determine where PHI can be encrypted.
Identify public facing extranet portals and web applications that can allow access to PHI.
Identify databases that hold PHI.
Execute the plan
Implement data encryption where practical.
For databases, implement a database security product to monitor database requests and protect from intrusion.
For web apps, implement a web application security product to protect from cross-site scripting and various attacks to access databases to PHI.
Protect endpoints such as laptops, tablets, etc with data at rest encryption by implementing whole disk encryption,
Experior Data helps customers plan and execute data security assessments and technology implementation for healthcare. Our proprietary Technical Security Audit includes a personalized review of your IT systems and well as a vulnerability scan of all your network components.
PGP Corporation announced an update to its products line. PGP now supports Red Hat & Ubuntu Linux, Mac OSX Snow Leopard, and Boot Camp on Mac OSX computers. In addition, PGP has updated its whole disk encryption technology to include a Hybrid Cryptographic Optimizer (HCO) technology to deliver faster run times for PGP Whole Disk Encryption.
Customers can now use PGP Universal Server to centrally manage encryption for their multi-platform environment. A single web-based user interface can be used to manage encryption end points using Microsoft Windows, Apple Mac, Red Hat Linux, and Ubuntu Linux. PGP is the only encryption vendor that delivers encryption solutions across multiple platforms. Multi-platform support is especially important with the popularity of netbooks, and the forthcoming Apple tablet device, which is reported to be using the Mac OSX operating system.
PGP also added functionality for e-mail encryption in Microsoft Outlook. Using Microsoft Outlook users can now click “sign and encrypt” buttons to automatically encrypt emails.
Experior Data is a PGP SILVER Partner and helps organizations implement data encryption solutions.
More information about these new releases is available on the PGP web site.
In the coming months healthcare IT administrators will see many products come to market that claim to solve the compliance issues of safeguarding unsecured protected health information (PHI). A bit of caution and understanding of the issues is required here:
- Whole disk encryption is clearly needed for mobile devices
- Whole disk encryption protects data when computers are TURNED OFF. This means that while you’re using the laptop the data is in use, and is not encrypted.
- Additional levels of data protection is needed to protected the data while computers are in use. For example, critical data files should be encrypted automatically regardless of whether the computer is turned on or off. Whole disk encryption does not do this.
- Files containing PHI that are transferred on a network need to be encrypted. Whole disk encryption does not do this.
- What about e-mails containing PHI? More importantly, what about those that use Microsoft Outlook and store data in archive (.pst) files?
So why is whole disk encryption not enough? What happens if a worm invades your computer and transfers documents of a certain file type to a remote location. Whole disk encryption will not help you in this situation.
It’s important for any encryption solution to not only encrypt the hard drive but also to encrypted files on the hard drive so that they remain encrypted while the computer is on.
According to the Initial Set of Standards for Electronic Health Records patients must be provided with their health information (most certainly protected health information -PHI- under HIPAA) electronically and securely within 96 hours.
“Consistent with the HIT Policy Committee’s recommendations, we propose the following additional clarification of this objective. Electronic copies may be provided through a number of secure electronic methods (for example, personal health record (
Provide patients with timely electronic access to their health information (including lab results, problem list, medication lists, allergies) within 96 hours of the information being available to the EP. Also, consistent with the HIT Policy Committee recommendations, we propose the following additional clarification of this objective. Electronic access may be provided by a number of secure electronic methods (for example, PHR, patient portal, CD, USB drive). Timely is defined as within 96 hours of the information being available to the EP either through the receipt of final lab results or a patient interaction that updates the EP’s knowledge of the patient’s health. We judge 96 hours to be a reasonable amount of time to ensure that certified EHR technology is up to date. We welcome comment on if a shorter or longer time is advantageous.”
You may be wondering how can patient information be secured. The best way to secure information is by encrypting the media. However, note that patients must be able to decrypt the information on their own computer equipment. One of the product Experior Data implements is called PGP Portable. For example, the patient provides a USB drive for you to copy the PHI onto it. PGP Portable encrypts the entire USB device after the information is copied to it. The patient must provide a passphrase during the encryption process. When the patient goes home he/she inserts the USB drive into their home computer and is prompted for the passphrase. After the passphrase is entered access to the patient information is provided.
Not a good day for our friends in Canada. Apparently, a nurse from a health clinic in a Toronto area clinic copied health information for 83,000 people to a USB drive..and subsequently lost the drive. Not good.
“A health department nurse was taking a USB key containing the records to her car in Whitby, Ont., to take it to a remote clinic site on Dec. 15 when the device was lost. A search failed to turn it up.
“We believe it was lost on regional property. We have some video surveillance tape data to indicate that was the case,” said Dr. Robert Kyle, chief medical officer of health for Durham Region.
The privacy commission office was advised Monday by the Durham Region health department that the device was missing, said spokesman Bob Spence.
The USB key contained the names, addresses, phone numbers, dates of birth and health card numbers of patients who attended H1N1 flu vaccination clinics in the region between Oct. 23 and Dec. 15.”
BitLocker, Microsoft‘s disk encryption technology that comes with Windows 7 Ultimate, can throw the system admin into a boondogle. Sure it’s easy to just use what is “in the box” and call it a day. However, be prepared for a long…very long day in getting BitLocker deployed and managed.
..
Microsoft has traditionally added feature after feature to their products. But that doesn’t necessarily mean you have to use them (or actually, should use them). Before we discuss BitLocker think of the last time someone used the e-mail server that comes with Windows Server 2003 (yes, it really does come with a basic POP3 server). Ok, give up? That’s probably because most of the corporate world uses Microsoft Exchange. How about using Windows Servers as internet firewalls. Possible? Yes. Practical? No. Microsoft adds these features to help sell the core product. The can say “well, you don’t need a mail server. Server 2003 has one built-in”, even though we all know that the only purpose for it is to use it in some lab.
And here comes BitLocker. Yes, it can encrypt hard drives. Yes, it can encrypt USB flash drives. But before you pay the extra $19.99 per user for your corporate Windows 7 deployment first consider these limitations and facts about how BitLocker is deployed:
..
BIOS must be compatible with TPM version 1.2 and support USB device boot
Requires TPM chip
Requires TPM management snap-in configuration to save encryption key to a USB device
TPM PIN management (help desk must maintain a list of TPM PINs in case user forgets)
No complexity or content rules available for TPM PIN
No single sign-on (TPM PIN not related to AD auth info)
Admin rights needed to perform initial encryption
Requires management of TPM “owner passwords”
Requires you to maintain recovery keys that match Bitlocker keys created on each computer
Requires Active Directory Schema extensions to be installed on 2003 and 2008 servers (don’t you love “extending the schema”?)
Recovery options require a TPM PIN
No centralized reporting
Policies managed by GPOs (because they’re so easy to manage now)
No separating of duties – recovery codes stored in AD, propogated to all DCs.
No support for smart cards or tokens at pre-boot (cold boot and firewire-method HD attacks come to mind)
For USB encryption – recovery keys are not managed centrally – give user ability to “print out” recovery key or store it elsewhere in a file (no key management)
USB encryption -> not possible to write to non-Windows 7 machines once encrypted with Windows 7
..
So after all the time you’ve spent just to get this far you now have an encryption system that is only Windows 7 specific. Are your legacy XP clients encrypted? No. The Macs in the marketing department? No. The Linux devices in development? No. Use a smart card or token at pre-boot? No. Can you write to USB drives encrypted with Win 7 on non-Win 7 machines? No. Are there separation of duties? Nope.
..
Before rolling out BitLocker take into consideration not only the software limitations but also the time involved to learn the infrastructure needed to deploy it properly. Create a lab with several PCs and a server and do real-world testing and see for yourself. BitLocker can be a great tool for personal use, or in a very small business (under 15 users). But beyond that…beware of the boondoggle.
E-mails that transfer information with patient information should be encrypted so that only authorized parties can decrypt the information. There are two ways to encrypt e-mail: end to end or at the gateway. Before selecting an e-mail encryption solution decided if you want (or need) End to End or Gateway.
..
End to end e-mail encryption protects e-mails stored inside each e-mail box (either on a server or locally stored on computer). End to end e-mail encryption protects messages from being read by e-mail administrators and anyone that has access to the user’s e-mail box or computer (if using POP3 or IMAP to retrieve messages). Although it requires client software to be deployed to all users it is the most comprehensive method of encrypting e-mail.
..
Gateway encryption does not protect messages in each users mailbox. It does, however, encrypt and decrypt messages as they leave from and arrive to the e-mail server. Gateway encryption is easier to deploy because it does not require client software deployment to each user. Instead, email is encrypted and decrypted using policies or even keywords inside messages. Since all messages are required to pass through an encryption gateway (even emails that do not require encryption) substantial hardware could be required to host the e-mail gateway encryption system. Since the gateway performs the encryption and decryption function the sensitive messages stored in each user’s mailbox are decrypted and are not protected.
..
There are various software packages that sell e-mail encryption solutions. There are even hosted e-mail encryption services that for a monthly or yearly fee provide you with software and a service to encrypt e-mails. The key question to consider is whether or not you need e-mails to be secured inside the e-mail box or if its sufficient for e-mails inside the e-mail box to be unencrypted but encrypted on the way in and out of your network. Remember that sent e-mails are typically stored in your “sent items” folder. Do these sent e-mails need to be encrypted? If so, you need an End to End solution.
..
Still not sure which is right for you? Feel free to e-mail or call us and we will be more than glad to explain this important topic in more detail.
Copyright 2008-2011 - Experior Data Security and Encryption - No parts of the content herein may be copied or reproduced without permission www.experiordata.com
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=3a0266f6-3270-43a7-9d5d-72d3000b6dd6)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=76960f38-a396-49b1-bf12-c9961f5125fc)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=2329fa97-9950-476e-a5d0-9a107f83bf5b)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=c79645b2-e019-4106-8ff8-d4ab74741f12)
