Howard Schmidt, Obama administration's cyber security czar, prepared a fantastic presentation about the four guiding principles of his cyber security plan:

• Deterrence is a primary factor in preventing cyber security threats. Applying strong protectionlike two factor authentication, one time passwords, smart cards, and implementing standard data protection systems were mentioned.
  

• Resilience is the ability to recover from an attack. Designing systems that are able to recover from an attack is paramount to national security, and especially protected health information (PHI). It was noted (in a different part) of the NIST Conference that doctors relying on Health information systems (HIT) need to ensure that a disaster recovery and backup plan is in place and is tested regularly. A doctor’s office or a hospital would be nearly impossible to operate if access to PHI is not available after moving entirely to electronic medical records.

• Privacy is important to the White House. It’s clear that legislation and the regulations that follow have privacy in mind. An good example is the Breach Notification law written into section 13402 in the HITECH ACt, part of the American Recovery and Reinvestment Act of 2009 (ARRA). The HITECH Act specifically provides safe harbors in case of a breach of encrypted PHI. The government is clearly incentivizing the use of data encryption to protect privacy.

• Partnerships with private industry were mentioned as well, although not in too much detail. Perhaps the White House wants to make sure that whatever steps they put in place have transparency to the public and the private industry.

In order to help the government and private industry standardize on a risk management process NIST created the RMF - Risk Management Framework. The framework into 6 steps:

• Categorize the information systems
• Select security controls
• Implement security controls
• Access security controls
• Authorize information systems
• Monitor security controls

At the 2010 NIST HIPAA Security Conference presentation, Pat Toth, a computer scientist working for NIST , discussed the importance of the integrating risk management and security into your enterprise computing environment.  Security is often thought of as an after-the-fact process that becomes important after IT systems and applications are deployed. Toth pointed out that our perception of security’s role needs to change in order to protect the our healthcare information systems.

Protected Health Information (PHI) is a term used widely in HIPAA. PHI is information that can identify and individual, such as name, address, social security number, and clinical information about the individual. Part of the American Recovery and Reinvestment Act (ARRA) called the HITECH Act, section 13402, specifically requires a covered entity or business associate to notify HHS and the mass media of breaches of uprotected PHI involving more than 500 records. PHI that is encrypted is considered protected and, therefore, provides a safe harbor against breach notification.

Among those involved in the data breaches are hospitals, clinics, dentists, insurance companies, private medical practices (though it’s unclear as to why their names are being withheld), universities, state governments, and several Blue Cross Blue shield organizations.

More importantly, business associates – which are essentially service providers to covered entities – are not only listed but are named. Most of them are IT services providers to covered entities.

Data at rest appears to be the most common form of breach, most likely a result of lost laptops, backup tapes, and a seemingly missing server.

Data encryption provides a safe harbor against breach notification and should be implemented in places where PHI is stored.

- Whole disk encryption is clearly needed for mobile devices

- Whole disk encryption protects data when computers are TURNED OFF. This means that while you’re using the laptop the data is in use, and is not encrypted.

- Additional levels of data protection is needed to protected the data while computers are in use. For example, critical data files should be encrypted automatically regardless of whether the computer is turned on or off. Whole disk encryption does not do this.

- Files containing PHI that are transferred on a network need to be encrypted. Whole disk encryption does not do this.

- What about e-mails containing PHI? More importantly, what about those that use Microsoft Outlook and store data in archive (.pst) files?

So why is whole disk encryption not enough? What happens if a worm invades your computer and transfers documents of a certain file type to a remote location. Whole disk encryption will not help you in this situation.

It’s important for any encryption solution to not only encrypt the hard drive but also to encrypted files on the hard drive so that they remain encrypted while the computer is on.

According to the Initial Set of Standards for Electronic Health Records patients must be provided with their health information (most certainly protected health information -PHI- under HIPAA) electronically and securely within 96 hours.

How to Secure Health Records

You may be wondering how can patient information be secured. The best way to secure information is by encrypting the media. However, note that patients must be able to decrypt the information on their own computer equipment. One of the product Experior Data implements is called PGP Portable. For example, the patient provides a USB drive for you to copy the PHI onto it. PGP Portable encrypts the entire USB device after the information is copied to it. The patient must provide a passphrase during the encryption process. When the patient goes home he/she inserts the USB drive into their home computer and is prompted for the passphrase. After the passphrase is entered access to the patient information is provided.

Related articles by Zemanta

• HIEs are Beginning to Link Patients Directly to their Own Health Data (projecthealthdesign.typepad.com)
• Pushing ONC to Act on Consumer’s Behalf (chilmarkresearch.com)
• Medfusion Maintains Leadership in Patient Portal Performance (medicineandtechnology.com)
• How to Get $20 Billion for Using Electronic Medical Records (blogs.wsj.com)

Yes, we have found the one web site we hope you never have to visit – even the name is enough to give us the chills: Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information. Even the URL is eerily blunt: http://transparency.cit.nih.gov.

Yes, folks. If you suffer a breach you will need to report it to HHS. Interestingly, the web site is hosted by the Center for Information Technology of the National Institute of Health.

Health Net, a Woodland Hills, California-based managed healthcare provider realized that a missing hard drive contained protected health information (PHI). It affected 1.5 million customers, and 466,000 in Connecticut alone.

“The company reported the breach Wednesday to State Attorneys Generals offices in Arizona, Connecticut, New Jersey and New York. Health Net said it was beginning the data security breach notification process of sending out letters to its customers. The company said it expects to send notification

letters the week of Nov. 30.”, according to a SearchSecurity News article.

Connecticut Attorney General Richard Blumenthal comments: “My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long,” Blumenthal said in a statement. “The company’s failure to safeguard such sensitive information and inform consumers of its loss — leaving them naked to identity theft — may have violated state and federal laws.”

Although disk encryption could not have prevented the drive from being lost it certainly could have prevented unsecured protected health information from being accessible to unauthorized individuals. Federal breach notification rules under HIPAA/ARRA/HITECH Act took effect in September, 2009, but will be start being enforced until February, 2010.

Related articles by Zemanta

• Hacker Pleads Guilty in Vast Theft of Card Numbers (nytimes.com)
• NJ man indicted in Web name theft, sale on eBay (seattletimes.nwsource.com)
• Man pleads guilty in massive ID theft case (cnn.com)
• Plea deal reached in huge credit-card data theft (cnn.com)
• TJX Hacker Agrees to Guilty Plea; Faces 15 to 25 Years (wired.com)
• Identity theft: Three accused over biggest bank card scam in US history (telegraph.co.uk)
• Health Net healthcare data breach affects1.5 million (deurainfosec.com)
• Health Insurer Loses 1.5 Million Patient Records (wired.com)
• Health Net Data Breach – 1.5 Million Records At Risk With Missing Portable Hard Drive (ducknetweb.blogspot.com)

Media notification is required when a breach of more than 500 records has occurred.  The Interim Final Rule preamble discusses how the U.S. Department of Health and Human Services (HHS) expects the media to be notified in case a breach of over 500 records occurs. Note that HHS considers media notification to be relative to where the residents live, not the location of the covered entity or business associate.

• If the residents in the unsecured protected health information (PHI) live in a particular city the breach notification should be sent to  the prominent media outlet serving that city. A prominent media outlet could be a television station or newspaper (no preference is given).
• If the residents in the unsecured protected health information (PHI) are spread across a state the prominent media outlet must serve the entire state.
• If the total amount of records breached is over 500 but the residents live in multiple states and not more than 500 are in any one state then media notification is not required.  Although media notification is not required, notification to the individuals is still required.
• If the total amount of records breached is over 500 in more than one state media notification is required to the prominent media outlet in each state.

The content in the media notification is identical to the content required for individual notification:

• A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
• A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
• Any steps individuals should take to protect themselves from potential harm resulting from the breach.
• A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches.
• Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web address, or postal address.
  

..

HHS expects the notification to the media to be in form of a press release.

..

It should be noted that you can avoid media notification and notification to individuals by encrypting protected health information (PHI) .

..
HIPAA explicitly defines this Information as “…any information, including demographic information collected from an individual, that–”(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and ”(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and–”(i) identifies the individual; or ”(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”

..

Protected  Health Information takes that definition and applies and electronic twist to it. The Interim Final Rule on Breach Notification for Unsecured Protected Health Information on page 4 of the preamble defines protected health information as:  “individually identifiable health information held or transmitted in any form or medium by HIPAA covered entities and business associates, subject to certain limited exceptions”.

..

“Subject to certain limited exceptions” can be interpreted to mean additional exclusions listed in Standards for Privacy of Individually Identifiable Health Information; Final Rule, 45 CFR Parts 160 and 164, ss 164.501. Exclusions as written are an employer in its role as a covered entity (covered entities are employers as well) and education records specified in the Family Education Rights and Privacy Act, 20 U.S.C. 1232g.