Slashdot Mirror
Loss of a Single Laptop Leads to $50k Fine Against Idaho Hospice
netbuzz writes "Losing a single laptop containing sensitive personal information about 441 patients will cost a non-profit Idaho hospice center $50,000, marking the first such HIPAA-related penalty involving fewer than 500 data-breach victims. Yes, the data was not encrypted. 'This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information,' says the Department of Health and Human Services."
This is why God invented encryption.
Kriston
It's not like the hospice is going to be particularly harmed. The costs will be passed on to you through insurance. No person was held accountable their decision to not encrypt the laptop.
"... will cost a non-profit Idaho hospice center $50,000, ..."
I'm not so sure just how strong of a message this will send.
Encrypting patient data should be a no-brainer in this day and age.
Yes, it is tragic, but effective encryption is free (TrueCrypt, e.g.) and a non-profit still does not have any business being incompetent.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
It's hard to tell if you're being sarcastic or not.
...what govt penalizers do best: pick on those least capable of defending themselves... in other words go after the low hanging fruit and don't bother with the really hard stuff like rich, for-profit hospitals and clinics that routinely violate HIPAA... because those have armies of high-dollar lawyers who'll make life hard on the govt if they attempt to go after them.
They beat up on these guys because they don't have the resources to fight back. Right or wrong in this case is not the issue. A easy win was. HIPPA will not go after a big health care chain, because the chain will spend all the money needed to block these cases. These guys will not back up there words about protecting patients against a biggie. They just want to look like it.
If it worked, we wouldn't be reading this article. The data was lost despite government regulation. I don't care that the government made 50k off the deal.
No it doesn't. For starters: such a fine is a good thing, but it should be payable to the victims of the data breach (as in: the people whose sensitive data was dumped on the street). One way or another, they suffer damage from a data breach, they should be compensated.
Secondly, it won't prevent further breaches like they happen so often these days. Maybe if fines are stiff enough, and handed out often enough, over time it will produce an effect. I wouldn't hold my breath though. When it comes to keeping data private, a new idiot is born every day. Sometimes an idiot in charge, but that's not always necessary.
The day I was terminated from a company with a crazy spoiled-rich drunken brat who's father gave her all the startup money and helped her get a healthcare related company going was the day I became religious about encryption and file shredding. This lady was an IDIOT. She shelled out high salaries from top people in the industry to give her good advice, and she did not listen to any of them and ended up getting ripped off of her entire business model and client base by her former VP who was tech-savvy. Security was as lax as it gets and he covered his tracks thoroughly. Then when she said she was hiring top dollar experts to come in and find traces of deleted data on the computers to show evidence of what he had done, I urged her to stop using them and told the chick "don't use those computers. anything recoverable will be overwritten". She blew me off because I wasn't a full time data recovery person. They flew in from across the country and told her the exact same thing I did. Then she got furious at me because I hadn't made it clear enough to her not to do that (which was B.S.) and eventually fired me and wanted to get her claws on my personal computer because she suspected me of being an insider helping the former VP ripping her off. So I quickly moved all my personal then non-encrypted home PC files to a TrueCrypt encrypted volume on a new drive and then shredded the old drive's contents. Then i ran magnets all over the thing and drilled a bajillion holes in it, rendering it useless.
This is the new generation of bosses and company owners in America. They're the sons and daughters of the upper crust whom are starting and running companies having no real background in the industry and making themselves look like the idiots they are in the process, while the employees are trying to beam-balance their job amidst the chaos.
Require the people in charge of an organization to store THEIR personal data in any such repository. Then maybe they'd have more incentive to make sure it gets PROPERLY encrypted.
No it doesn't. For starters: such a fine is a good thing, but it should be payable to the victims of the data breach (as in: the people whose sensitive data was dumped on the street).
You did read the article right?
Of course not.
Nobodies data was abused. They didn't suffer any damages from the data breach.
(You do know what a Hospice is, right? You understand that their clients could not possibly care less about a data breach?).
Be that as it may, fines are NEVER payable to individuals. The government simply pockets the money.
Nobody is taught any lessons, other than to raise their prices to pay for even more insurance.
Sig Battery depleted. Reverting to safe mode.
Facebook, Google and probably Apple make money selling customer data
but
Non-Profit organisation (organization) gets fined for losing customer data
I know its different data but cmon, what's the world coming to?
I'm not signing anything
At a university where I work, there is a requirement that any project involving storing personal data must go through several periodic reviews and has to meet some strict requirements - encryption is a must (without it, the project won't even get off the ground). I'd be very surprised if there are no regulations dictating how hospitals must store and protect data.
I read TFA, but I couldn't see whether such requirements are a must for hospices. Did they just go ahead and ignore the requirements? In which case, the fine is too small. Or are there no regulations for healthcare industry (I'd find that very surprising)? Can someone more knowledgeable tell me if this was negligence or outright violation of protocol?
While not free, a much simpler option for the end-user would be to purchase a laptop with drive encryption available out of the box. Windows 7 Ultimate/Enterprise and Mac OSX respectively. Both can provide end-user support over the phone in the event of needing to recover data (OEM and Apple support). That phone call could make this the most important decision ever made. And to go a step further, you can use an online backup solution such as Mozy and backup to the cloud (both client connection and back-end storage resides in an encrypted state).
Now, you may say this is expensive. But the cost of paying the fine is much higher. It's also more expensive to society as a whole when sensitive information gets shat all over the internet. I can't speak for everyone, but I know I don't want my stuff out there.
Life is not for the lazy.
Every time I see one of these stories I wonder about the same thing. Why is sensitive patient information on a laptop in the first place, and why is that laptop leaving the hospital.
If you are a business executive, I can understand that you would be carrying a laptop which contains emails and other documents. But I cannot think of a single good reason (GOOD REASON) why a hospital's patient information would ever need to be stored on a laptop. Seriously, if you have employees carrying around laptops loaded with patient information, you're doing it wrong.
Having worked on many projects involving various levels of government regulation and compliance, and seeing all the different facets of security and what-not, I can state for a fact that a case like this will be looked at like "It was only a $50k fine? This security hardening project is costing us well over $200k and we still might have a breach that would lead to such a fine. Why are we even bothering?"
We had a project that was basically just a fuzzy match for numbers that looked like credit card or social security numbers and delete them if it found them, just in case they got into a part of the database they shouldn't (like a customers stuck their social security number into their address, and yes, it's happened before) That project cost us $22,000. It ended up being a single line of SQL that ran as part of a service every hour. $50k is laughable. Security breaches like this should nearly bankrupt a company, there is no other way they'll be taken seriously. I'm involved in 5 different projects right now, each of them billing out at over $100k each, 3 of them revolve around privacy issues and government compliance. The fines issued for such breaches aren't even in our paperwork as a concern. The cost of a breach in regards to public image however has a very specific, very large number near the top of the chart. But we're in a business where people are paying attention to such things. These fines should START in the millions because preventing them costs in the hundreds of thousands of dollars.
Question; is there a differance between 'effective' encryption, and 'HIPAA Approved' encryption?
From a legal standpoint, would cheap/free encryption like Truecrypt/PGP be acceptable, or do you need HIPAA certified encryption with enterprise key management, etc. for $1000 a seat?
What stops your medical records being 'encrypted' with ROT13?
Yes, and the next time some Hospice official thinks about not encrypting their data, they're going to remember this event and think better of it.
HIPAA violations are serious. People have likely lost their jobs over this. Even though I'm not in a position to routinely work with patient data, my employer requires that my laptop is encrypted - in the case of my Linux laptop I was able to convince them that using encrypted LVM was sufficient.
Question; is there a differance between 'effective' encryption, and 'HIPAA Approved' encryption?
Yes, HIPAA stipulates that it must be FIPS-accredited. AES-encrypted zip files are acceptable; the older standard of zip file encryption (whatever that was) isn't.
What stops your medical records being 'encrypted' with ROT13?
The above.
When you lose one laptop worth of patient data, don't tell anybody.
FIPS 140-2 to be more specific. There are plenty of free options.
- If we aren't supposed to eat animals, then why are they made out of meat? - Steven Wright
If the fine is yearly, firing their IT guy may save them a few thousands a year!
I'm happy HIPAA is being enforced. We have already had way too many breaches, either tapes left in unsecured locations, or laptops "going missing".
We already have had a decade of businesses giving security the hind teat, since it is viewed as a cost center, and the belief that "calling Geek Squad" after the fact can fix things. Having it made public that if laws/regs are broken, that fines will be levied might get places to zip their flies.
Encryption of laptops is not hard, especially Windows laptops that are the mainstay in business that have TPM chips. With any Windows version newer than Vista, Bitlocker is very easy to enable on an enterprise level. For most things, just forcing BitLocker via GPO on laptops, even if the user is a full admin is more than good enough for security.
For laptops without a TPM, Windows 8 and Windows Server 2012 allow for a password to be set before boot.
Almost all new major operating systems have some form of DAR/WDE encryption ready to go. Linux has LUKS, BSD has gbde, AIX has EFS, Solaris has encrypt(1), OS X has FileVault II. Enabling this may not be trivial, but it is doable.
Of course, almost all new backup programs have encryption, usually create/import a key, set a button to encrypt, and let fly. Netbackup has the Media Server Encryption Option, but even better, if one uses LTO-4 or newer media, NBU can just use the tape drive native AES encryption directly.
There is no excuse for encrypting laptops and media these days. None.
I love all the immediate "encrypt it" comments. Yes, that would be helpful, but the bigger question to ask is:
"Why would such data be copied onto a laptop in the first place?"
We keep hearing stuff like lost laptops and flash drives over and over. The reality is that sensitive data like this shouldn't be on those devices in the first place. One would think it would be accessed only on secure servers through approved clients and methods. Most facilities' HIPAA guidelines specifically forbid copying such information off the servers in the first place (expect by I.T. for backup) regardless if it is encrypted or not. Seems like employees in the organizations just ignore that.
Encryption can be broken.
This is just a case of following the good old, tried and true tax department/RIAA solution. You go after the small, weak, vulnerable targets. The big ones are likely to defend themselves with armies of lawyers and keep your sorry ass in court for the next hundred years.
Basically, it's much easier and safer to kick a dog with no teeth.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
If there is a definition of cloud computing, it's the abstraction of administration. Managers at a hospice in Idaho are not qualified to make IT decisions about encryption. Even Microsoft's cloud is more secure than what they can put together : ) Combine bio-authentication with a website white list and you eliminate all passive/opportunistic attacks.
Is there anything better than clicking through Microsoft ads on Slashdot?
Part of HIPPA was to address information portability. While it may be better, patent information portability is painfully lacking. When will this be addressed with the same gusto as the privacy portion?
(You do know what a Hospice is, right? You understand that their clients could not possibly care less about a data breach?).
I'm sure the thing you want to be dealing with when closing down a loved one's estate is finding out that someone's opened up a bunch of credit cards and gone to town.
Be that as it may, fines are NEVER payable to individuals.
What about the $2.4 billion that the National Fish and Wildlife Foundation received from BP as part of the Deepwater Horizon oil spill? That will have a direct, tangible benefit to the Gulf States. Skylar
Yeah let's fire the IT guy who suggested all data to be encrypted and not the managers who overruled the IT guy because encryption is annoying.
Any HIPAA audit would have found just that deficiency.
Next time I am dying I will be sure to carefully review the HIPPA compliance record for the hospice of my choice.
This issue is a bit more complicated than you think.
Are there? Last time I looked into FIPS 140, it was the case that only certain software versions were validated by NIST, and none of the validated incarnations were either free-beer or free-libre.
Even the folks behind Truecrypt "To our best knowledge, TrueCrypt complies with the following standards, specifications, and recommendations...", before failing to mention FIPS 140 at all.
Indeed, looking again at the list of validated FIPS 140 wares, it does seem to be lengthy, but it is mighty specific and I do not see a single instance of anything free-as-in-beer, let alone "plenty of free options."
The only thing that stands out is that Red Had has had some OSS software validated as being FIPS-140, but only when installed according to their posted Security Policy, which seems to require RHEL, which is not free.
So. [citation needed], and stuff: If you've got the goods, give 'em up. (And no, "To our best knowledge" is not a defense against a HIPPA violation: It either is validated to FIPS 140(-2), or it is not.)
Kid-proof tablet..
HIPAA *does* set in place specific specifications to comply. The beauty of HIPAA is that the Dept H&HS releases guidance to inform people how to comply on pretty much every aspect:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html
When it comes to technology, they always refer to NIST standards as being tested and compliant. Read NIST special publication 800-111 and its references to the FIPS 140-2 standard at http://csrc.nist.gov/ (Publications / Special Publications on the top menu) and you'll see they have very thorough information on how to implement encryption correctly.
This exactly, much like SarbOx it's mostly a minimum framework for organizations to write their own policies (in fact HIPPA doesn't specify ANY technologies, only policies). Specific auditors might require specific standards in order to make their jobs easier (checkbox auditing) but the law is much more vague. In reality if you put in a goodfaith effort to protect patient information and followed your organizations published guidelines it's highly unlikely that you or your organization will be fined unless there's a finding of gross negligence (ie I wrote the encryption key on a postit attached to the outside of the tape case).
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
As a standard, it must do this, because it's possible for a version of software to have fatal bugs in it. Like say a fatal OpenSSL bug in Debian used to pass through valgrind. That would mean that one cannot certify those versions, but ones that were fixed can then be submitted for certification.
And it's possible that TrueCrypt may be certified, but someone makes an error and version +1 now doesn't meet the requirements.
And yes, commercial software can have such show stopping bugs as well due to some coding error.
cloud computing needs a good data plan and coverage. Based on needs and how the cloud is set up (something on live like) will need a lot more then a 5GB cap. and say $10 a gig after 5gb can add up very fast.
How do you propose we handle this?
If it's a web application it's reasonable to assume that browser caching would cache certain data on the hard drive. Even "clearing cache" would only delete the headers and not securely delete all of the data. With IE, you can enforce a GPO that tells the browser not to cache data retrieved over HTTPS ; but this is assuming that HTTPS is used for internally connected systems (often times they're not), and it assumes the user is using Windows in an Active Directory environment.
The other thing is policy. I work in an organization developing policy surrounding HIPAA data and I can tell you that it's significantly easier to have a global overall encompassing policy than it is to separate out what data should and SHOULDN'T be copied off of the server. If a user has read writes they have the rights to copy data to their HDD. So we treat all systems, even ones not directly involved in dealing with HIPAA data as the same. It makes it much easier to say with certainty that appropriate security measures have been applied.
I am going to assume the hospice is in a similar boat we are... and i will explain how its not as simple as the wand waivers above try to make it sound. I'm essentially the brat mentioned above. Small practice with about 7 providers and about 50 machines... Probably 50/50 desktops and laps. we use a shitbox EHR that was shoved down our throats because our old vendor sold the code to the highest bidder to acquire clients. Me and and 3,000 other clients are stuck with a "new" shit product, $100,000 in debt and India to call for "support". we don't have $22k for one line of SQL code. the EHR requires local users to be admins. Mind blowing. A gpo restriction against data to the local renders the box useless. No matter how many learning moments, hand slaps and write ups you have , users will never understand the difference between My Documents and the shared network drive where stuff is supposed to go. Ironically doctors are the worst. I wrote hundreds of pages of HIPAA policy and then tried to figure out how to encrypt and secure 50 xp machines running on aging dell 2350's/3000's and d510's. state hipaa auditor says we need essentially another $100,000 worth of new stuff and encryption. There is zero IT budget. I just yanked all the drives and am pxe booting thinstation to a terminal session. in the follow up, the auditor agreed it satisfies the encryption issue 100%, and she had never heard of that or seen it done but applauded me. There are thousands of office just like me who have no budget and are already drowning in debt from the non-free software rapists. The number one argument you will get from the business owners is no budget. dwindling reimbursements coupled with exponentially expensive responsibilities like this article make for a rough combo. I feel bad for the chaps in bumblefuck Idaho. They are probably barely scraping by, then this... I'd pitch the same solution i used that passed the hipaa audit to any of these other offices out there you might find who need help but can't afford anything else. Pass it on. /$.02
Are there? Last time I looked into FIPS 140, it was the case that only certain software versions were validated by NIST, and none of the validated incarnations were either free-beer or free-libre.
Crypto++ is free and open Source and FIPS 140-2 validated
While not free, a much simpler option for the end-user would be to purchase a laptop with drive encryption available out of the box. Windows 7 Ultimate/Enterprise and Mac OSX respectively. Both can provide end-user support over the phone in the event of needing to recover data (OEM and Apple support). That phone call could make this the most important decision ever made. And to go a step further, you can use an online backup solution such as Mozy and backup to the cloud (both client connection and back-end storage resides in an encrypted state).
Now, you may say this is expensive. But the cost of paying the fine is much higher. It's also more expensive to society as a whole when sensitive information gets shat all over the internet. I can't speak for everyone, but I know I don't want my stuff out there.
This is exactly the point. Whoever you are, if you deal with medical data, it must be more expensive for you to mess up than to do things right.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Seriously, get a computer in front of your hospital infrastructure which has Internet access (or a modem) on one side and runs ssh or something.
Then you simply log in via your portable computer. Nothing will be cached, nothing will be local, just use your portable computer like you would use any terminal.
That's not rocket science, it already worked in the 1980s, just go and watch "Wargames" and you will even learn about much of the security involved.
While I do not know the legal angle, TrueCrypt is effective in so far that any reasonably competent expert will testify to it being so. ROT13 can be broken in a fully automatic way even if you do not know it is ROT13. That disqualifies it from being "effective", again to be demonstrated by expert testimony.
I doubt HIPPA can require specific encryption. I rather think that they have to show whatever you use is ineffective when you contend the fine. Of course, with "no encryption", they do not have to show anything.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
There are exactly zero FIPS 140-2 software encryption products, as this level requires hardware. Even FIPS 140-1 is problematic, as it only applies to the specific software version you certified. Need a security update? Too bad, the certification is gone.
FIPS is basically worthless, as it ignores the real world.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
About time people faced some real consequences for these sort of actions. It's a shame (but not unexpected) that they picked on a hospice to make the example, rather than say a large corporation, but the principle stands. If you dont encrypt private, confidential data you should be held accountable. No more plain text passwords in database tables, no more unencrypted personally identifiable information on removable/portable devices (or in database files for that matter) . No excuses.
Sky subscribers are morons. They pay to be advertised at !
with nobody held accountable.
I love Jesus, except for his foreign policy.
Yeah let's fire the IT guy who suggested all data to be encrypted and not the managers who overruled the IT guy because encryption is annoying.
That pretty much jives with my experience. I had an experience where I warned my management over and over about a single point of failure in our customer supporting infrastructure. They didn't want to hear it. Didn't want to fix it. Didn't want to spend any money on it. Then one day it blew up. Cost the company a small fortune in blown SLA's. Of course their knee jerk reaction was to blame the IT person. The only reason I kept my job was by pulling out the documentation, which I purposely saved, of me telling my management about the problem and having everyone shoot me down over and over again. So the lesson is that if you tell them the truth they don't want to hear make sure you have a record of it. Make sure you have them refusing to listen to you documented in writing. I'd say it gives you a 50/50 chance of avoiding being the scape goat vs. being the automatic scape goat.
If the information in any laptop (or desktop) could be worth tens of thousands in fines we might just see an increase in health care thefts and blackmail. Cheaper to pay to get the laptop back than to pay the fine if the data goes public.
OpenSSL is certified (entry 1747 on that page, "OpenSSL FIPS Object Module"), and they ship a FIPS-specific tool.
Bít, zabít, jen proto, ze su liska!
Yet, HIPAA doesn't mandate the use of any specific technology, at all. FIPS is not mandated for use for HIPAA, the AC is dead wrong.
Okay, so what exactly does TPM have to do with encrypting your data? Okay, sure, it gives you an off-disk location to store a key, but as far as I can tell everything else it does is related to creating a unique encryption key for that machine so that DRM can bind a software license to it. Useless for encryption of data that will move between machines, and it adds no further security against someone stealing a laptop. The only case in which it seems to offer any potential benefits is against someone stealing the drive out of a computer.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
The health care sector looses information all the time. Over the last 15 years, two hospitials have managed to lose 5 MRI tests and 1 EEG test, digital and paper copy. I really don't trust the "security" in place with the health care sector at all.
The $50K isn't the important part of the deal, the important part is the corrective action plan. (TFA isn't particularly good, but see here.)
Working for an organization which deals with HIPAA sensitive data on a daily basis, I can say that PGP is fairly industry standard, at least for communication between agencies.
More specific, but not necessarily accurate. FIPS 140-2 is the requirement for data "in motion" (being transmitted via some communication channel.) The requirements for encryption to be sufficient to not leave the data covered by it "unsecured" under HIPAA are methods consistent with NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices.
Well, first off, FIPS 140-2 is only specified as part of the requirement for data to be considered "secured" for data in motion under HIPAA (not data at rest, which is where FDE comes into play.) Second, where FIPS 140-2 is relevant (data in motion) the HIPAA rule certainly accepts FIPS 140-2 validated systems, but what it requires is merely that the encryption method be consistent with FIPS 140-2, not that the system be FIPS 140-2 validated.
HIPAA doesn't require a FIPS 140-2 validated product, it requires that, for data in motion, the encryption method is consistent with FIPS 140-2, and it specifically includes anything consistent with NIST SPs 800-52, 800-77, and 800-113. For data at rest -- which what the issue is here with, e.g., Full Disk Encryption -- FIPS 140-2 isn't even discussed; the requirement is that the method be consistent with NIST SP 800-111.
It doesn't say it in HIPAA (which is a statute). It says it in the guidance issued by HHS under the HITECH Act which sets standards for whether data is considered "unsecured" or "secured" under the HIPAA Security Rule (a regulation adopted to implemented HIPAA under the regulatory authority granted to the HHS by HIPAA). And the "consistent with FIPS 140-2" is for data in motion, not data at rest, so it doesn't actually apply here; the data at rest standard is NIST SP 800-111. See 72 FR 19006, 19009-19010.
The HITECH Act, under which the guidance referred to was issued, specifies that the guidance issued under the act controls whether data is considered "secured" or "unsecured"; the various penalties and breach notification requirements in HIPAA apply to breaches of unsecured PHI. So, the guidance specifying particular methods is a mandate as to which methods of securing data must be used, at a minimum, to avoid triggering various consequences. Its true that you can ignore that guidance as to particular methods and, if you never expose data (even encrypted data, if its not encrypted by one of the specified mechanims) to an authorized party even accidentally, never trigger the consequences under HIPAA.
First, its HIPAA, not HIPPA. Second, the "no technologies, only policies" statement used to be true, but hasn't been really true since the HITECH Act and related guidance/regulation modified the HIPAA Security Rule; there are specific technical requirements for data to be considered "secured". Its not required to actually meet those requirements, but there are consequences if unsecured data (that is, not secured by technology meeting the specified standards) is exposed to unauthorized parties.
Fines are issued by independent courts. When some random government department demands money from you, your response should be "make me".
If you were blocking sigs, you wouldn't have to read this.
You mean, like the $1 million settlement Massachussetts General made in 2011 for HIPAA violations?
Banks aren't covered by HIPAA. Most doctors and clinics are small-entities, and this case was noted as being the first significant penalty for a small entity under HIPAA. Cignet -- a big insurer -- paid a $4.3 million fine for HIPAA violations.
Yes, and the next time some Hospice official thinks about not encrypting their data, they're going to remember this event and think better of it.
What they will remember is that $50k is in the same ball park as the total cost of implementing and managing laptop encryption. So it makes sense to accept the risk of not having it.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Encrypting laptops is *expensive* in time and effort. The problem is encrypting the system drive. Without this, our malefactor just edits the system drive, boots the OS with inserted password, and reads the encrypted data. Or if you do encrypt the system drive, there is some sort of pre-boot authentication required. Welcome to a patching and support nightmare. This is why mobile device encryption isn't as widely employed as some would like.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
It's not free to implement, support, and manage. Throwing out terms like 'incompetent' doesn't address this problem.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Can you point me to the part of HITECH that requires FIPS certification, because the NIST checklist still has the standard HIPAA style policy driven directives, not prescribed technical solutions. (section 164.312(a)(2)(iv))
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
It doesn't. What it does (at Section 13402) is require the Secretary of HHS to publish guidance on appropriate methods of securing data, and specifies that PHI not secured by technology consistent with the most-current issued guidance is considered "unsecured", and specifies a number of things that have to be done if "unsecured" PHI is exposed. The guidance HHS has issued under the HITECH Act requires that encryption methods for data in motion be consistent with FIPS 140-2 (not that systems be certified under FIPS 140-2) in order for the data not to be considered "unsecured", and specifies other requirements for data at rest.
All those still apply (and that reference not a section of HITECH -- or even HIPAA -- its the section of Title 45 of the Code of Federal Regulations for one piece of the regulations issued under HIPAA making up the Security Rule.)
Okay, so what exactly does TPM have to do with encrypting your data?
Windows, particularly WIndows 7 Enterprise, requires a TPM chip for the included encryption software, Bitlocker, to work. Previous poster is saying that since business laptops come with TPM anyway and Windows that most large enterprises use comes with encryption anyway, the only reason business laptops are not encrypted is because somebody is too lazy to click a button.
In reality, it's a bit more complicated than that. There are many older laptops out there running WinXP that has no built in encryption and are still "good enough" to do their jobs. People, especially doctors and executives, buy their own laptops to do their work on but don't know about the TPM chip or what version of Windows they need, and usually don't have the easy solution available to them as they buy cheaper versions without the needed components because it's "good enough" they also don't know about encryption and the laws involved. Include user apathy because they don't care and don't think the law includes them or what they do or because proper solutions are harder than simple solutions that don't account for HIPAA, and the task of encrypting everything becomes an order of magnitude harder.
Thanks, that's the first time I've seen actual guidance on specific technologies as it relates to HIPAA. The lack of guidance on actual implementable solution was one of the biggest frustrations when the enforcement piece was coming online for us as recommending specific solutions was considered dangerous territory as it seemed like the law was written in such a manner as to give you enough rope to hang yourself with (or to allow bureaucrats to target anyone they wanted).
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Question; is there a differance between 'effective' encryption, and 'HIPAA Approved' encryption?
From a legal standpoint, would cheap/free encryption like Truecrypt/PGP be acceptable, or do you need HIPAA certified encryption with enterprise key management, etc. for $1000 a seat?
What stops your medical records being 'encrypted' with ROT13?
TrueCrypt would indeed have allowed the hospice to invoke "safe harbor" by pointing out the loss of an encrypted drive does not constitute a "release" of EPHI.
Question; is there a differance between 'effective' encryption, and 'HIPAA Approved' encryption?
Yes, HIPAA stipulates that it must be FIPS-accredited..
[citation needed]
HIPAA regulations do not specify what is or is not "approved". They provide guidelines, among those is an obtuse reference to NIST.
Ah, market games by Microsoft to encourage movement towards a world of hardware-based DRM, got it.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Nobody is taught any lessons, other than to raise their prices to pay for even more insurance.
Nice try, kid, but insurance companies won't insure against losses from fines. The company must eat that loss.
Free Martian Whores!
Actually, you might be surprised but sometimes these "charitable" types of organizations are the most ripe for fraud/abuse.
My grandmother almost never uses her credit-card, but the last time she had it compromised was shortly after calling in a donation via telephone (the recipient org was legit, but the temp call-centre employees were likely not well vetted). Soon after that she had to cancel the card because somebody in the US was using her CC # to buy body-building supplements.
Just because an organization does something good doesn't mean it can't have people who do bad things under its umbrella, so hence the rules should be enforced for everyone.
it should be payable to the victims of the data breach
I'm sure the hopsice would love that. just spend the afternoon at the cemetery with a checkbook and a trowel.
how many pairs of boxer shorts should you own?
While you are correct that such analyses are needed and done all the time, none of that really has to contain identifiable info. And just because work might need to be done, doesn't mean an entire database of PHI has to be copied to a mobile device to do it.
This is, in fact, not true; the HIPAA covered entity employing them is required under HIPAA to contractually bind them to obey the same requirements as the party they are employed by is bound to, and, under more recent provisions (I believe from the HITECH Act, but possibly from the ACA), Business associates are also directly subject to privacy/security requirements as principals.