Slashdot Mirror
Loss of a Single Laptop Leads to $50k Fine Against Idaho Hospice
netbuzz writes "Losing a single laptop containing sensitive personal information about 441 patients will cost a non-profit Idaho hospice center $50,000, marking the first such HIPAA-related penalty involving fewer than 500 data-breach victims. Yes, the data was not encrypted. 'This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information,' says the Department of Health and Human Services."
This is why God invented encryption.
Kriston
Yes, it is tragic, but effective encryption is free (TrueCrypt, e.g.) and a non-profit still does not have any business being incompetent.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
It's hard to tell if you're being sarcastic or not.
...what govt penalizers do best: pick on those least capable of defending themselves... in other words go after the low hanging fruit and don't bother with the really hard stuff like rich, for-profit hospitals and clinics that routinely violate HIPAA... because those have armies of high-dollar lawyers who'll make life hard on the govt if they attempt to go after them.
No it doesn't. For starters: such a fine is a good thing, but it should be payable to the victims of the data breach (as in: the people whose sensitive data was dumped on the street). One way or another, they suffer damage from a data breach, they should be compensated.
Secondly, it won't prevent further breaches like they happen so often these days. Maybe if fines are stiff enough, and handed out often enough, over time it will produce an effect. I wouldn't hold my breath though. When it comes to keeping data private, a new idiot is born every day. Sometimes an idiot in charge, but that's not always necessary.
Require the people in charge of an organization to store THEIR personal data in any such repository. Then maybe they'd have more incentive to make sure it gets PROPERLY encrypted.
No it doesn't. For starters: such a fine is a good thing, but it should be payable to the victims of the data breach (as in: the people whose sensitive data was dumped on the street).
You did read the article right?
Of course not.
Nobodies data was abused. They didn't suffer any damages from the data breach.
(You do know what a Hospice is, right? You understand that their clients could not possibly care less about a data breach?).
Be that as it may, fines are NEVER payable to individuals. The government simply pockets the money.
Nobody is taught any lessons, other than to raise their prices to pay for even more insurance.
Sig Battery depleted. Reverting to safe mode.
Hopsice prices can't just arbitrarily go up for 99.9% of people who use insurance or medicaid. They work on prenegotiated rates. They can charge all they want, insurance is only going to pay them what they agreed to.
At a university where I work, there is a requirement that any project involving storing personal data must go through several periodic reviews and has to meet some strict requirements - encryption is a must (without it, the project won't even get off the ground). I'd be very surprised if there are no regulations dictating how hospitals must store and protect data.
I read TFA, but I couldn't see whether such requirements are a must for hospices. Did they just go ahead and ignore the requirements? In which case, the fine is too small. Or are there no regulations for healthcare industry (I'd find that very surprising)? Can someone more knowledgeable tell me if this was negligence or outright violation of protocol?
Every time I see one of these stories I wonder about the same thing. Why is sensitive patient information on a laptop in the first place, and why is that laptop leaving the hospital.
If you are a business executive, I can understand that you would be carrying a laptop which contains emails and other documents. But I cannot think of a single good reason (GOOD REASON) why a hospital's patient information would ever need to be stored on a laptop. Seriously, if you have employees carrying around laptops loaded with patient information, you're doing it wrong.
Having worked on many projects involving various levels of government regulation and compliance, and seeing all the different facets of security and what-not, I can state for a fact that a case like this will be looked at like "It was only a $50k fine? This security hardening project is costing us well over $200k and we still might have a breach that would lead to such a fine. Why are we even bothering?"
We had a project that was basically just a fuzzy match for numbers that looked like credit card or social security numbers and delete them if it found them, just in case they got into a part of the database they shouldn't (like a customers stuck their social security number into their address, and yes, it's happened before) That project cost us $22,000. It ended up being a single line of SQL that ran as part of a service every hour. $50k is laughable. Security breaches like this should nearly bankrupt a company, there is no other way they'll be taken seriously. I'm involved in 5 different projects right now, each of them billing out at over $100k each, 3 of them revolve around privacy issues and government compliance. The fines issued for such breaches aren't even in our paperwork as a concern. The cost of a breach in regards to public image however has a very specific, very large number near the top of the chart. But we're in a business where people are paying attention to such things. These fines should START in the millions because preventing them costs in the hundreds of thousands of dollars.
Question; is there a differance between 'effective' encryption, and 'HIPAA Approved' encryption?
From a legal standpoint, would cheap/free encryption like Truecrypt/PGP be acceptable, or do you need HIPAA certified encryption with enterprise key management, etc. for $1000 a seat?
What stops your medical records being 'encrypted' with ROT13?
Yes, and the next time some Hospice official thinks about not encrypting their data, they're going to remember this event and think better of it.
HIPAA violations are serious. People have likely lost their jobs over this. Even though I'm not in a position to routinely work with patient data, my employer requires that my laptop is encrypted - in the case of my Linux laptop I was able to convince them that using encrypted LVM was sufficient.
Question; is there a differance between 'effective' encryption, and 'HIPAA Approved' encryption?
Yes, HIPAA stipulates that it must be FIPS-accredited. AES-encrypted zip files are acceptable; the older standard of zip file encryption (whatever that was) isn't.
What stops your medical records being 'encrypted' with ROT13?
The above.
When you lose one laptop worth of patient data, don't tell anybody.
FIPS 140-2 to be more specific. There are plenty of free options.
- If we aren't supposed to eat animals, then why are they made out of meat? - Steven Wright
I'm happy HIPAA is being enforced. We have already had way too many breaches, either tapes left in unsecured locations, or laptops "going missing".
We already have had a decade of businesses giving security the hind teat, since it is viewed as a cost center, and the belief that "calling Geek Squad" after the fact can fix things. Having it made public that if laws/regs are broken, that fines will be levied might get places to zip their flies.
Encryption of laptops is not hard, especially Windows laptops that are the mainstay in business that have TPM chips. With any Windows version newer than Vista, Bitlocker is very easy to enable on an enterprise level. For most things, just forcing BitLocker via GPO on laptops, even if the user is a full admin is more than good enough for security.
For laptops without a TPM, Windows 8 and Windows Server 2012 allow for a password to be set before boot.
Almost all new major operating systems have some form of DAR/WDE encryption ready to go. Linux has LUKS, BSD has gbde, AIX has EFS, Solaris has encrypt(1), OS X has FileVault II. Enabling this may not be trivial, but it is doable.
Of course, almost all new backup programs have encryption, usually create/import a key, set a button to encrypt, and let fly. Netbackup has the Media Server Encryption Option, but even better, if one uses LTO-4 or newer media, NBU can just use the tape drive native AES encryption directly.
There is no excuse for encrypting laptops and media these days. None.
I love all the immediate "encrypt it" comments. Yes, that would be helpful, but the bigger question to ask is:
"Why would such data be copied onto a laptop in the first place?"
We keep hearing stuff like lost laptops and flash drives over and over. The reality is that sensitive data like this shouldn't be on those devices in the first place. One would think it would be accessed only on secure servers through approved clients and methods. Most facilities' HIPAA guidelines specifically forbid copying such information off the servers in the first place (expect by I.T. for backup) regardless if it is encrypted or not. Seems like employees in the organizations just ignore that.
Encryption can be broken.
Next time I am dying I will be sure to carefully review the HIPPA compliance record for the hospice of my choice.
This issue is a bit more complicated than you think.
Are there? Last time I looked into FIPS 140, it was the case that only certain software versions were validated by NIST, and none of the validated incarnations were either free-beer or free-libre.
Even the folks behind Truecrypt "To our best knowledge, TrueCrypt complies with the following standards, specifications, and recommendations...", before failing to mention FIPS 140 at all.
Indeed, looking again at the list of validated FIPS 140 wares, it does seem to be lengthy, but it is mighty specific and I do not see a single instance of anything free-as-in-beer, let alone "plenty of free options."
The only thing that stands out is that Red Had has had some OSS software validated as being FIPS-140, but only when installed according to their posted Security Policy, which seems to require RHEL, which is not free.
So. [citation needed], and stuff: If you've got the goods, give 'em up. (And no, "To our best knowledge" is not a defense against a HIPPA violation: It either is validated to FIPS 140(-2), or it is not.)
Kid-proof tablet..
Dude, it's a small nonprofit hospice, it's doubtful they HAVE an IT guy, more likely a consultant they bring in to fix something every few years. I know because I worked consulting in a practice focused largely on smb medical and only our largest and/or most profitable customers ever engaged us for anything more than break/fix. I got out just as HIPPA enforcement was coming online and almost none of our clients was prepared despite the fact that we had sent along information for several years pointing them to organizations that could help them write their policies (we got nothing directly out of this, though given the state of many of their IT systems they would have needed services to become compliant with legal minimum practices).
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
I am going to assume the hospice is in a similar boat we are... and i will explain how its not as simple as the wand waivers above try to make it sound. I'm essentially the brat mentioned above. Small practice with about 7 providers and about 50 machines... Probably 50/50 desktops and laps. we use a shitbox EHR that was shoved down our throats because our old vendor sold the code to the highest bidder to acquire clients. Me and and 3,000 other clients are stuck with a "new" shit product, $100,000 in debt and India to call for "support". we don't have $22k for one line of SQL code. the EHR requires local users to be admins. Mind blowing. A gpo restriction against data to the local renders the box useless. No matter how many learning moments, hand slaps and write ups you have , users will never understand the difference between My Documents and the shared network drive where stuff is supposed to go. Ironically doctors are the worst. I wrote hundreds of pages of HIPAA policy and then tried to figure out how to encrypt and secure 50 xp machines running on aging dell 2350's/3000's and d510's. state hipaa auditor says we need essentially another $100,000 worth of new stuff and encryption. There is zero IT budget. I just yanked all the drives and am pxe booting thinstation to a terminal session. in the follow up, the auditor agreed it satisfies the encryption issue 100%, and she had never heard of that or seen it done but applauded me. There are thousands of office just like me who have no budget and are already drowning in debt from the non-free software rapists. The number one argument you will get from the business owners is no budget. dwindling reimbursements coupled with exponentially expensive responsibilities like this article make for a rough combo. I feel bad for the chaps in bumblefuck Idaho. They are probably barely scraping by, then this... I'd pitch the same solution i used that passed the hipaa audit to any of these other offices out there you might find who need help but can't afford anything else. Pass it on. /$.02