Slashdot Mirror
Loss of a Single Laptop Leads to $50k Fine Against Idaho Hospice
netbuzz writes "Losing a single laptop containing sensitive personal information about 441 patients will cost a non-profit Idaho hospice center $50,000, marking the first such HIPAA-related penalty involving fewer than 500 data-breach victims. Yes, the data was not encrypted. 'This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information,' says the Department of Health and Human Services."
This is why God invented encryption.
Kriston
It's not like the hospice is going to be particularly harmed. The costs will be passed on to you through insurance. No person was held accountable their decision to not encrypt the laptop.
All those nay Sayers that government doesn't work, well look at this!
Good leaders run toward problems, bad leaders hide from them.
"... will cost a non-profit Idaho hospice center $50,000, ..."
I'm not so sure just how strong of a message this will send.
Encrypting patient data should be a no-brainer in this day and age.
Yes, it is tragic, but effective encryption is free (TrueCrypt, e.g.) and a non-profit still does not have any business being incompetent.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
...what govt penalizers do best: pick on those least capable of defending themselves... in other words go after the low hanging fruit and don't bother with the really hard stuff like rich, for-profit hospitals and clinics that routinely violate HIPAA... because those have armies of high-dollar lawyers who'll make life hard on the govt if they attempt to go after them.
They beat up on these guys because they don't have the resources to fight back. Right or wrong in this case is not the issue. A easy win was. HIPPA will not go after a big health care chain, because the chain will spend all the money needed to block these cases. These guys will not back up there words about protecting patients against a biggie. They just want to look like it.
The issue of whether the breach affects more or less than 500 patients is legally relevant. Companies that suffer a compromise of certain types of personal information (including medical records) must report it to the government. When the number of victims is more than 500, the reporting requirements are stricter--the deadline is sooner, a notification about the problem is posted on a government website, etc. So when it's 500, they are generally just not treated as seriously; the enforcement agencies tend not to invest a lot of time and money in taking action against them. There is a rule that, if the data that was stolen is properly encrypted so that the hacker or thief can't actually use it, then the company has nothing to worry about. This is a "safe harbor" provision that encourages companies that store personal information to secure it so that they don't have to worry about getting sued for data breaches.
The day I was terminated from a company with a crazy spoiled-rich drunken brat who's father gave her all the startup money and helped her get a healthcare related company going was the day I became religious about encryption and file shredding. This lady was an IDIOT. She shelled out high salaries from top people in the industry to give her good advice, and she did not listen to any of them and ended up getting ripped off of her entire business model and client base by her former VP who was tech-savvy. Security was as lax as it gets and he covered his tracks thoroughly. Then when she said she was hiring top dollar experts to come in and find traces of deleted data on the computers to show evidence of what he had done, I urged her to stop using them and told the chick "don't use those computers. anything recoverable will be overwritten". She blew me off because I wasn't a full time data recovery person. They flew in from across the country and told her the exact same thing I did. Then she got furious at me because I hadn't made it clear enough to her not to do that (which was B.S.) and eventually fired me and wanted to get her claws on my personal computer because she suspected me of being an insider helping the former VP ripping her off. So I quickly moved all my personal then non-encrypted home PC files to a TrueCrypt encrypted volume on a new drive and then shredded the old drive's contents. Then i ran magnets all over the thing and drilled a bajillion holes in it, rendering it useless.
This is the new generation of bosses and company owners in America. They're the sons and daughters of the upper crust whom are starting and running companies having no real background in the industry and making themselves look like the idiots they are in the process, while the employees are trying to beam-balance their job amidst the chaos.
Require the people in charge of an organization to store THEIR personal data in any such repository. Then maybe they'd have more incentive to make sure it gets PROPERLY encrypted.
Facebook, Google and probably Apple make money selling customer data
but
Non-Profit organisation (organization) gets fined for losing customer data
I know its different data but cmon, what's the world coming to?
I'm not signing anything
At a university where I work, there is a requirement that any project involving storing personal data must go through several periodic reviews and has to meet some strict requirements - encryption is a must (without it, the project won't even get off the ground). I'd be very surprised if there are no regulations dictating how hospitals must store and protect data.
I read TFA, but I couldn't see whether such requirements are a must for hospices. Did they just go ahead and ignore the requirements? In which case, the fine is too small. Or are there no regulations for healthcare industry (I'd find that very surprising)? Can someone more knowledgeable tell me if this was negligence or outright violation of protocol?
Finally someone punished for their security incompetence!
The fine seems pretty low though.
While not free, a much simpler option for the end-user would be to purchase a laptop with drive encryption available out of the box. Windows 7 Ultimate/Enterprise and Mac OSX respectively. Both can provide end-user support over the phone in the event of needing to recover data (OEM and Apple support). That phone call could make this the most important decision ever made. And to go a step further, you can use an online backup solution such as Mozy and backup to the cloud (both client connection and back-end storage resides in an encrypted state).
Now, you may say this is expensive. But the cost of paying the fine is much higher. It's also more expensive to society as a whole when sensitive information gets shat all over the internet. I can't speak for everyone, but I know I don't want my stuff out there.
Life is not for the lazy.
Every time I see one of these stories I wonder about the same thing. Why is sensitive patient information on a laptop in the first place, and why is that laptop leaving the hospital.
If you are a business executive, I can understand that you would be carrying a laptop which contains emails and other documents. But I cannot think of a single good reason (GOOD REASON) why a hospital's patient information would ever need to be stored on a laptop. Seriously, if you have employees carrying around laptops loaded with patient information, you're doing it wrong.
No, not to the same place. But by coincidence, the NFL will contribute a $50,000 fine levied against a player mouthing off against the refs to the North Idaho hospice.
Hey, I'm cynical. Sue me.
Having worked on many projects involving various levels of government regulation and compliance, and seeing all the different facets of security and what-not, I can state for a fact that a case like this will be looked at like "It was only a $50k fine? This security hardening project is costing us well over $200k and we still might have a breach that would lead to such a fine. Why are we even bothering?"
We had a project that was basically just a fuzzy match for numbers that looked like credit card or social security numbers and delete them if it found them, just in case they got into a part of the database they shouldn't (like a customers stuck their social security number into their address, and yes, it's happened before) That project cost us $22,000. It ended up being a single line of SQL that ran as part of a service every hour. $50k is laughable. Security breaches like this should nearly bankrupt a company, there is no other way they'll be taken seriously. I'm involved in 5 different projects right now, each of them billing out at over $100k each, 3 of them revolve around privacy issues and government compliance. The fines issued for such breaches aren't even in our paperwork as a concern. The cost of a breach in regards to public image however has a very specific, very large number near the top of the chart. But we're in a business where people are paying attention to such things. These fines should START in the millions because preventing them costs in the hundreds of thousands of dollars.
Question; is there a differance between 'effective' encryption, and 'HIPAA Approved' encryption?
From a legal standpoint, would cheap/free encryption like Truecrypt/PGP be acceptable, or do you need HIPAA certified encryption with enterprise key management, etc. for $1000 a seat?
What stops your medical records being 'encrypted' with ROT13?
Question; is there a differance between 'effective' encryption, and 'HIPAA Approved' encryption?
Yes, HIPAA stipulates that it must be FIPS-accredited. AES-encrypted zip files are acceptable; the older standard of zip file encryption (whatever that was) isn't.
What stops your medical records being 'encrypted' with ROT13?
The above.
You can never "undisclose" facts like home addresses of HIV patients,
patient names taking socially stigmatizing drugs, phone numbers and mental disorders, etc.
Bank-fraud mentality doesn't work in medicine : we cant "replace" the amount lost.
RULES
1. DONT put private patient data on your laptop (HIPAA identifiers)
2. ENCRYPT data in those very rare care delivery circumstances where you actually need HIPAA data on your laptop
3. DE-IDENTIFY information you dont really need: you dont need patient names for research except in rare cases
$50k fine seems reasonable penalty to kick people out who aren't capable of basic safeguards.
I defend your health data and I approve this message.
--Anonymous Coward
So it has been revealed: your medical information costs about 113USD. Don't sell it for any less!
Why does the government get any of it?
When you lose one laptop worth of patient data, don't tell anybody.
FIPS 140-2 to be more specific. There are plenty of free options.
- If we aren't supposed to eat animals, then why are they made out of meat? - Steven Wright
I love all the immediate "encrypt it" comments. Yes, that would be helpful, but the bigger question to ask is:
"Why would such data be copied onto a laptop in the first place?"
We keep hearing stuff like lost laptops and flash drives over and over. The reality is that sensitive data like this shouldn't be on those devices in the first place. One would think it would be accessed only on secure servers through approved clients and methods. Most facilities' HIPAA guidelines specifically forbid copying such information off the servers in the first place (expect by I.T. for backup) regardless if it is encrypted or not. Seems like employees in the organizations just ignore that.
Encryption can be broken.
This is just a case of following the good old, tried and true tax department/RIAA solution. You go after the small, weak, vulnerable targets. The big ones are likely to defend themselves with armies of lawyers and keep your sorry ass in court for the next hundred years.
Basically, it's much easier and safer to kick a dog with no teeth.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
If there is a definition of cloud computing, it's the abstraction of administration. Managers at a hospice in Idaho are not qualified to make IT decisions about encryption. Even Microsoft's cloud is more secure than what they can put together : ) Combine bio-authentication with a website white list and you eliminate all passive/opportunistic attacks.
Is there anything better than clicking through Microsoft ads on Slashdot?
Part of HIPPA was to address information portability. While it may be better, patent information portability is painfully lacking. When will this be addressed with the same gusto as the privacy portion?
Where in HIPAA does it state FIPS complaint encryption? I'd love to see this citation. HIPAA is a guideline, it sets in place no specifications to exactly what you should do.
Any HIPAA audit would have found just that deficiency.
Are there? Last time I looked into FIPS 140, it was the case that only certain software versions were validated by NIST, and none of the validated incarnations were either free-beer or free-libre.
Even the folks behind Truecrypt "To our best knowledge, TrueCrypt complies with the following standards, specifications, and recommendations...", before failing to mention FIPS 140 at all.
Indeed, looking again at the list of validated FIPS 140 wares, it does seem to be lengthy, but it is mighty specific and I do not see a single instance of anything free-as-in-beer, let alone "plenty of free options."
The only thing that stands out is that Red Had has had some OSS software validated as being FIPS-140, but only when installed according to their posted Security Policy, which seems to require RHEL, which is not free.
So. [citation needed], and stuff: If you've got the goods, give 'em up. (And no, "To our best knowledge" is not a defense against a HIPPA violation: It either is validated to FIPS 140(-2), or it is not.)
Kid-proof tablet..
HIPAA *does* set in place specific specifications to comply. The beauty of HIPAA is that the Dept H&HS releases guidance to inform people how to comply on pretty much every aspect:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html
When it comes to technology, they always refer to NIST standards as being tested and compliant. Read NIST special publication 800-111 and its references to the FIPS 140-2 standard at http://csrc.nist.gov/ (Publications / Special Publications on the top menu) and you'll see they have very thorough information on how to implement encryption correctly.
This exactly, much like SarbOx it's mostly a minimum framework for organizations to write their own policies (in fact HIPPA doesn't specify ANY technologies, only policies). Specific auditors might require specific standards in order to make their jobs easier (checkbox auditing) but the law is much more vague. In reality if you put in a goodfaith effort to protect patient information and followed your organizations published guidelines it's highly unlikely that you or your organization will be fined unless there's a finding of gross negligence (ie I wrote the encryption key on a postit attached to the outside of the tape case).
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
As a standard, it must do this, because it's possible for a version of software to have fatal bugs in it. Like say a fatal OpenSSL bug in Debian used to pass through valgrind. That would mean that one cannot certify those versions, but ones that were fixed can then be submitted for certification.
And it's possible that TrueCrypt may be certified, but someone makes an error and version +1 now doesn't meet the requirements.
And yes, commercial software can have such show stopping bugs as well due to some coding error.
cloud computing needs a good data plan and coverage. Based on needs and how the cloud is set up (something on live like) will need a lot more then a 5GB cap. and say $10 a gig after 5gb can add up very fast.
How do you propose we handle this?
If it's a web application it's reasonable to assume that browser caching would cache certain data on the hard drive. Even "clearing cache" would only delete the headers and not securely delete all of the data. With IE, you can enforce a GPO that tells the browser not to cache data retrieved over HTTPS ; but this is assuming that HTTPS is used for internally connected systems (often times they're not), and it assumes the user is using Windows in an Active Directory environment.
The other thing is policy. I work in an organization developing policy surrounding HIPAA data and I can tell you that it's significantly easier to have a global overall encompassing policy than it is to separate out what data should and SHOULDN'T be copied off of the server. If a user has read writes they have the rights to copy data to their HDD. So we treat all systems, even ones not directly involved in dealing with HIPAA data as the same. It makes it much easier to say with certainty that appropriate security measures have been applied.
Thats why the big boys can just bribe the investigator to shove it under the table....
yeah... you... Humana, Arcadian, Kaiser.... I know of instances where from each of you got away with it..
There is also the need for datasets to be analysed by Claims and Finance for trends. In some cases Claims needs to know which/what are the top areas and why/how much they are paying out or expecting income from. [I work for a healthplan. you will not believe how much data analasys takes place... mainly for 1 reason, reduce costs/improve bottom line.
I am going to assume the hospice is in a similar boat we are... and i will explain how its not as simple as the wand waivers above try to make it sound. I'm essentially the brat mentioned above. Small practice with about 7 providers and about 50 machines... Probably 50/50 desktops and laps. we use a shitbox EHR that was shoved down our throats because our old vendor sold the code to the highest bidder to acquire clients. Me and and 3,000 other clients are stuck with a "new" shit product, $100,000 in debt and India to call for "support". we don't have $22k for one line of SQL code. the EHR requires local users to be admins. Mind blowing. A gpo restriction against data to the local renders the box useless. No matter how many learning moments, hand slaps and write ups you have , users will never understand the difference between My Documents and the shared network drive where stuff is supposed to go. Ironically doctors are the worst. I wrote hundreds of pages of HIPAA policy and then tried to figure out how to encrypt and secure 50 xp machines running on aging dell 2350's/3000's and d510's. state hipaa auditor says we need essentially another $100,000 worth of new stuff and encryption. There is zero IT budget. I just yanked all the drives and am pxe booting thinstation to a terminal session. in the follow up, the auditor agreed it satisfies the encryption issue 100%, and she had never heard of that or seen it done but applauded me. There are thousands of office just like me who have no budget and are already drowning in debt from the non-free software rapists. The number one argument you will get from the business owners is no budget. dwindling reimbursements coupled with exponentially expensive responsibilities like this article make for a rough combo. I feel bad for the chaps in bumblefuck Idaho. They are probably barely scraping by, then this... I'd pitch the same solution i used that passed the hipaa audit to any of these other offices out there you might find who need help but can't afford anything else. Pass it on. /$.02
It was a non-profit. Those are the worst.
If it was a company like Sony, it would be, "Well, try harder next time, okay? Thanks."
Are there? Last time I looked into FIPS 140, it was the case that only certain software versions were validated by NIST, and none of the validated incarnations were either free-beer or free-libre.
Crypto++ is free and open Source and FIPS 140-2 validated
While not free, a much simpler option for the end-user would be to purchase a laptop with drive encryption available out of the box. Windows 7 Ultimate/Enterprise and Mac OSX respectively. Both can provide end-user support over the phone in the event of needing to recover data (OEM and Apple support). That phone call could make this the most important decision ever made. And to go a step further, you can use an online backup solution such as Mozy and backup to the cloud (both client connection and back-end storage resides in an encrypted state).
Now, you may say this is expensive. But the cost of paying the fine is much higher. It's also more expensive to society as a whole when sensitive information gets shat all over the internet. I can't speak for everyone, but I know I don't want my stuff out there.
This is exactly the point. Whoever you are, if you deal with medical data, it must be more expensive for you to mess up than to do things right.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Seriously, get a computer in front of your hospital infrastructure which has Internet access (or a modem) on one side and runs ssh or something.
Then you simply log in via your portable computer. Nothing will be cached, nothing will be local, just use your portable computer like you would use any terminal.
That's not rocket science, it already worked in the 1980s, just go and watch "Wargames" and you will even learn about much of the security involved.
While I do not know the legal angle, TrueCrypt is effective in so far that any reasonably competent expert will testify to it being so. ROT13 can be broken in a fully automatic way even if you do not know it is ROT13. That disqualifies it from being "effective", again to be demonstrated by expert testimony.
I doubt HIPPA can require specific encryption. I rather think that they have to show whatever you use is ineffective when you contend the fine. Of course, with "no encryption", they do not have to show anything.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
There are exactly zero FIPS 140-2 software encryption products, as this level requires hardware. Even FIPS 140-1 is problematic, as it only applies to the specific software version you certified. Need a security update? Too bad, the certification is gone.
FIPS is basically worthless, as it ignores the real world.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
About time people faced some real consequences for these sort of actions. It's a shame (but not unexpected) that they picked on a hospice to make the example, rather than say a large corporation, but the principle stands. If you dont encrypt private, confidential data you should be held accountable. No more plain text passwords in database tables, no more unencrypted personally identifiable information on removable/portable devices (or in database files for that matter) . No excuses.
Sky subscribers are morons. They pay to be advertised at !
Very useful. http://www.vietnamvisaorg.com/
Love you: http://www.vietnamvisaorg.com/
3 letter UIDs were invented once the two letter UID names space was being used up, Entities with only two letters have more class since they have more time in.
From Jeremiah Cornelius the troll's post history http://slashdot.org/comments.pl?sid=3360735&cid=42494443
Regulatory compliance determines what is 'acceptable.'
At my last employer we had to be FIPS 140-2 compliant.
http://en.wikipedia.org/wiki/FIPS_140-2
with nobody held accountable.
I love Jesus, except for his foreign policy.
This is very far from the first time sensitive information has been turned loose because some idiot put it on his laptop and took it home. That ought to be a firing offense. Keep it on a server and don't let it out of the building. How many times is this going to happen before someone wakes up and puts this very obvious rule in place, and enforces it?
The policy is simple; No copying data from the server. Period. Do it and you have to find another job. If you are concerned about overwrites, use version control.
If the information in any laptop (or desktop) could be worth tens of thousands in fines we might just see an increase in health care thefts and blackmail. Cheaper to pay to get the laptop back than to pay the fine if the data goes public.
As a information security professional I'm torn. Although I agree with HIPAA didn't it just figure they would fine a small company? A non-profit hospice? I read almost weekly about larger, for profit companies selling, mishandling and losing personal and healthcare data.
This reminded me of my years working at a residential treatment facility. There the smallest / weakest kids were constantly being aggressively disciplined for minor offenses where as the larger, tougher kids were often rewarded for the same behavior.
Rules are rules. If the government wants to set an example I'm sure they could find a better target than hospice.
In the olde days, your health records would be transferred either by: you, or doctor to doctor by smail. ...very sad.
Recently, I was surprised to learn that a records transfer was handled by a third party private company,
completely out of the patients' control. There's noHIPAA requirement there; they can data-mine all they want.
OpenSSL is certified (entry 1747 on that page, "OpenSSL FIPS Object Module"), and they ship a FIPS-specific tool.
Bít, zabít, jen proto, ze su liska!
Yet, HIPAA doesn't mandate the use of any specific technology, at all. FIPS is not mandated for use for HIPAA, the AC is dead wrong.
I am so glad we have such tough protections against such serious offenses such as loosing a laptop with information. Next time they should loose a bunch of handguns, there is no fine for that.
Seriously, the medical industry, an industry designed to heal people, has more regulation, liability, and fines than the gun industry, an industry designed to create weapons for killing people. Medicine is treat so diffently from other industries such as the gun industry (which actually has legal protections against liability or fines.) We want our records password locked and encrypted, but our handguns freely available without requiring passwords, maglocks, fingerprint locks, etc. We live in a strange society that is schizophrenic about its priorities, laws, protection and privacy.
"Guns don't kill people, people kill people" Maybe people shouldn't have guns
The health care sector looses information all the time. Over the last 15 years, two hospitials have managed to lose 5 MRI tests and 1 EEG test, digital and paper copy. I really don't trust the "security" in place with the health care sector at all.
Working for an organization which deals with HIPAA sensitive data on a daily basis, I can say that PGP is fairly industry standard, at least for communication between agencies.
More specific, but not necessarily accurate. FIPS 140-2 is the requirement for data "in motion" (being transmitted via some communication channel.) The requirements for encryption to be sufficient to not leave the data covered by it "unsecured" under HIPAA are methods consistent with NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices.
Well, first off, FIPS 140-2 is only specified as part of the requirement for data to be considered "secured" for data in motion under HIPAA (not data at rest, which is where FDE comes into play.) Second, where FIPS 140-2 is relevant (data in motion) the HIPAA rule certainly accepts FIPS 140-2 validated systems, but what it requires is merely that the encryption method be consistent with FIPS 140-2, not that the system be FIPS 140-2 validated.
HIPAA doesn't require a FIPS 140-2 validated product, it requires that, for data in motion, the encryption method is consistent with FIPS 140-2, and it specifically includes anything consistent with NIST SPs 800-52, 800-77, and 800-113. For data at rest -- which what the issue is here with, e.g., Full Disk Encryption -- FIPS 140-2 isn't even discussed; the requirement is that the method be consistent with NIST SP 800-111.
It doesn't say it in HIPAA (which is a statute). It says it in the guidance issued by HHS under the HITECH Act which sets standards for whether data is considered "unsecured" or "secured" under the HIPAA Security Rule (a regulation adopted to implemented HIPAA under the regulatory authority granted to the HHS by HIPAA). And the "consistent with FIPS 140-2" is for data in motion, not data at rest, so it doesn't actually apply here; the data at rest standard is NIST SP 800-111. See 72 FR 19006, 19009-19010.
The HITECH Act, under which the guidance referred to was issued, specifies that the guidance issued under the act controls whether data is considered "secured" or "unsecured"; the various penalties and breach notification requirements in HIPAA apply to breaches of unsecured PHI. So, the guidance specifying particular methods is a mandate as to which methods of securing data must be used, at a minimum, to avoid triggering various consequences. Its true that you can ignore that guidance as to particular methods and, if you never expose data (even encrypted data, if its not encrypted by one of the specified mechanims) to an authorized party even accidentally, never trigger the consequences under HIPAA.
First, its HIPAA, not HIPPA. Second, the "no technologies, only policies" statement used to be true, but hasn't been really true since the HITECH Act and related guidance/regulation modified the HIPAA Security Rule; there are specific technical requirements for data to be considered "secured". Its not required to actually meet those requirements, but there are consequences if unsecured data (that is, not secured by technology meeting the specified standards) is exposed to unauthorized parties.
Fines are issued by independent courts. When some random government department demands money from you, your response should be "make me".
If you were blocking sigs, you wouldn't have to read this.
You mean, like the $1 million settlement Massachussetts General made in 2011 for HIPAA violations?
Banks aren't covered by HIPAA. Most doctors and clinics are small-entities, and this case was noted as being the first significant penalty for a small entity under HIPAA. Cignet -- a big insurer -- paid a $4.3 million fine for HIPAA violations.
It's not free to implement, support, and manage. Throwing out terms like 'incompetent' doesn't address this problem.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Can you point me to the part of HITECH that requires FIPS certification, because the NIST checklist still has the standard HIPAA style policy driven directives, not prescribed technical solutions. (section 164.312(a)(2)(iv))
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
My organization doesn't allow EPHI on laptops, everything is meant to be done via virtual desktop/applications over VPN. We encrypt all of our laptops because we know our staff are human and will take shortcuts here and there. They get disciplined when it happens, but it happens. Simply relying on your policies to protect you is insufficient, you can't leave yourself open to a breach because a worker saves a copy of their client schedule on their desktop. So your question definitely gets asked by any competent Security/Privacy Officer, but the correct answer is still, "encrypt it".
It doesn't. What it does (at Section 13402) is require the Secretary of HHS to publish guidance on appropriate methods of securing data, and specifies that PHI not secured by technology consistent with the most-current issued guidance is considered "unsecured", and specifies a number of things that have to be done if "unsecured" PHI is exposed. The guidance HHS has issued under the HITECH Act requires that encryption methods for data in motion be consistent with FIPS 140-2 (not that systems be certified under FIPS 140-2) in order for the data not to be considered "unsecured", and specifies other requirements for data at rest.
All those still apply (and that reference not a section of HITECH -- or even HIPAA -- its the section of Title 45 of the Code of Federal Regulations for one piece of the regulations issued under HIPAA making up the Security Rule.)
Thanks, that's the first time I've seen actual guidance on specific technologies as it relates to HIPAA. The lack of guidance on actual implementable solution was one of the biggest frustrations when the enforcement piece was coming online for us as recommending specific solutions was considered dangerous territory as it seemed like the law was written in such a manner as to give you enough rope to hang yourself with (or to allow bureaucrats to target anyone they wanted).
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Question; is there a differance between 'effective' encryption, and 'HIPAA Approved' encryption?
From a legal standpoint, would cheap/free encryption like Truecrypt/PGP be acceptable, or do you need HIPAA certified encryption with enterprise key management, etc. for $1000 a seat?
What stops your medical records being 'encrypted' with ROT13?
TrueCrypt would indeed have allowed the hospice to invoke "safe harbor" by pointing out the loss of an encrypted drive does not constitute a "release" of EPHI.
Question; is there a differance between 'effective' encryption, and 'HIPAA Approved' encryption?
Yes, HIPAA stipulates that it must be FIPS-accredited..
[citation needed]
HIPAA regulations do not specify what is or is not "approved". They provide guidelines, among those is an obtuse reference to NIST.
Actually, you might be surprised but sometimes these "charitable" types of organizations are the most ripe for fraud/abuse.
My grandmother almost never uses her credit-card, but the last time she had it compromised was shortly after calling in a donation via telephone (the recipient org was legit, but the temp call-centre employees were likely not well vetted). Soon after that she had to cancel the card because somebody in the US was using her CC # to buy body-building supplements.
Just because an organization does something good doesn't mean it can't have people who do bad things under its umbrella, so hence the rules should be enforced for everyone.
While you are correct that such analyses are needed and done all the time, none of that really has to contain identifiable info. And just because work might need to be done, doesn't mean an entire database of PHI has to be copied to a mobile device to do it.
You have to consider, however, who actually runs (or more importantly, actually wants to run or even sometimes only can afford to be running) MOST small medical care operations in the US: people who couldn't (by training or aptitude) become IT or techie types but excel at empathy and soft-skills that are necessary for medical profession at the patient-care-giver level.
I know tons of people who run nursing homes, rehab centers, etc. because of relatives working in such places or having had relatives needing care in these places. They are NOT EVER tech gurus AND they are always running on fumes financially because of all the regulation that is applied to this industry. The possibility to have THEM know such technically "obvious" things is ZERO. The possibility they could afford to hire someone who could tell and then install and operate is only slight greater than zero chance.
This is why healthcare is the US is so profoundly bad. More is spent and lost on compliance and regulation then on delivering actual healthcare. This is why you see horror stories posted in various venues (here, Reddit, etc.) where some schmuck goes to the hospital for a day and gets a bill for $100K with $1K aspirin charges, etc.
If you don't think it's bad in the US, you are 1) too young to have had any serious exposure to the healthcare system and its dysfunction, and/or 2) you have never travels or lived elsewhere to have experience how much better most other country's healthcare systems really are "on the ground". Heaven help you when you finally get exposed to the horror of it.
Yes, it is tragic, but effective encryption is free (TrueCrypt, e.g.) and a non-profit still does not have any business being incompetent.
Not so much tragic as skeezy... large institutions lose covered information all the time, but it just falls through the cracks (i.e. nobody notices/cares when a copy of the information is lost).
You won't see any fines levied against these institutions. The investigators are typically not capable enough to track down an infraction.