Slashdot Mirror
Loss of a Single Laptop Leads to $50k Fine Against Idaho Hospice
netbuzz writes "Losing a single laptop containing sensitive personal information about 441 patients will cost a non-profit Idaho hospice center $50,000, marking the first such HIPAA-related penalty involving fewer than 500 data-breach victims. Yes, the data was not encrypted. 'This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information,' says the Department of Health and Human Services."
This is why God invented encryption.
Kriston
Yes, it is tragic, but effective encryption is free (TrueCrypt, e.g.) and a non-profit still does not have any business being incompetent.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
It's hard to tell if you're being sarcastic or not.
...what govt penalizers do best: pick on those least capable of defending themselves... in other words go after the low hanging fruit and don't bother with the really hard stuff like rich, for-profit hospitals and clinics that routinely violate HIPAA... because those have armies of high-dollar lawyers who'll make life hard on the govt if they attempt to go after them.
No it doesn't. For starters: such a fine is a good thing, but it should be payable to the victims of the data breach (as in: the people whose sensitive data was dumped on the street). One way or another, they suffer damage from a data breach, they should be compensated.
Secondly, it won't prevent further breaches like they happen so often these days. Maybe if fines are stiff enough, and handed out often enough, over time it will produce an effect. I wouldn't hold my breath though. When it comes to keeping data private, a new idiot is born every day. Sometimes an idiot in charge, but that's not always necessary.
Require the people in charge of an organization to store THEIR personal data in any such repository. Then maybe they'd have more incentive to make sure it gets PROPERLY encrypted.
No it doesn't. For starters: such a fine is a good thing, but it should be payable to the victims of the data breach (as in: the people whose sensitive data was dumped on the street).
You did read the article right?
Of course not.
Nobodies data was abused. They didn't suffer any damages from the data breach.
(You do know what a Hospice is, right? You understand that their clients could not possibly care less about a data breach?).
Be that as it may, fines are NEVER payable to individuals. The government simply pockets the money.
Nobody is taught any lessons, other than to raise their prices to pay for even more insurance.
Sig Battery depleted. Reverting to safe mode.
Hopsice prices can't just arbitrarily go up for 99.9% of people who use insurance or medicaid. They work on prenegotiated rates. They can charge all they want, insurance is only going to pay them what they agreed to.
Having worked on many projects involving various levels of government regulation and compliance, and seeing all the different facets of security and what-not, I can state for a fact that a case like this will be looked at like "It was only a $50k fine? This security hardening project is costing us well over $200k and we still might have a breach that would lead to such a fine. Why are we even bothering?"
We had a project that was basically just a fuzzy match for numbers that looked like credit card or social security numbers and delete them if it found them, just in case they got into a part of the database they shouldn't (like a customers stuck their social security number into their address, and yes, it's happened before) That project cost us $22,000. It ended up being a single line of SQL that ran as part of a service every hour. $50k is laughable. Security breaches like this should nearly bankrupt a company, there is no other way they'll be taken seriously. I'm involved in 5 different projects right now, each of them billing out at over $100k each, 3 of them revolve around privacy issues and government compliance. The fines issued for such breaches aren't even in our paperwork as a concern. The cost of a breach in regards to public image however has a very specific, very large number near the top of the chart. But we're in a business where people are paying attention to such things. These fines should START in the millions because preventing them costs in the hundreds of thousands of dollars.
Question; is there a differance between 'effective' encryption, and 'HIPAA Approved' encryption?
From a legal standpoint, would cheap/free encryption like Truecrypt/PGP be acceptable, or do you need HIPAA certified encryption with enterprise key management, etc. for $1000 a seat?
What stops your medical records being 'encrypted' with ROT13?
Yes, and the next time some Hospice official thinks about not encrypting their data, they're going to remember this event and think better of it.
HIPAA violations are serious. People have likely lost their jobs over this. Even though I'm not in a position to routinely work with patient data, my employer requires that my laptop is encrypted - in the case of my Linux laptop I was able to convince them that using encrypted LVM was sufficient.
Question; is there a differance between 'effective' encryption, and 'HIPAA Approved' encryption?
Yes, HIPAA stipulates that it must be FIPS-accredited. AES-encrypted zip files are acceptable; the older standard of zip file encryption (whatever that was) isn't.
What stops your medical records being 'encrypted' with ROT13?
The above.
When you lose one laptop worth of patient data, don't tell anybody.
FIPS 140-2 to be more specific. There are plenty of free options.
- If we aren't supposed to eat animals, then why are they made out of meat? - Steven Wright
I'm happy HIPAA is being enforced. We have already had way too many breaches, either tapes left in unsecured locations, or laptops "going missing".
We already have had a decade of businesses giving security the hind teat, since it is viewed as a cost center, and the belief that "calling Geek Squad" after the fact can fix things. Having it made public that if laws/regs are broken, that fines will be levied might get places to zip their flies.
Encryption of laptops is not hard, especially Windows laptops that are the mainstay in business that have TPM chips. With any Windows version newer than Vista, Bitlocker is very easy to enable on an enterprise level. For most things, just forcing BitLocker via GPO on laptops, even if the user is a full admin is more than good enough for security.
For laptops without a TPM, Windows 8 and Windows Server 2012 allow for a password to be set before boot.
Almost all new major operating systems have some form of DAR/WDE encryption ready to go. Linux has LUKS, BSD has gbde, AIX has EFS, Solaris has encrypt(1), OS X has FileVault II. Enabling this may not be trivial, but it is doable.
Of course, almost all new backup programs have encryption, usually create/import a key, set a button to encrypt, and let fly. Netbackup has the Media Server Encryption Option, but even better, if one uses LTO-4 or newer media, NBU can just use the tape drive native AES encryption directly.
There is no excuse for encrypting laptops and media these days. None.
Dude, it's a small nonprofit hospice, it's doubtful they HAVE an IT guy, more likely a consultant they bring in to fix something every few years. I know because I worked consulting in a practice focused largely on smb medical and only our largest and/or most profitable customers ever engaged us for anything more than break/fix. I got out just as HIPPA enforcement was coming online and almost none of our clients was prepared despite the fact that we had sent along information for several years pointing them to organizations that could help them write their policies (we got nothing directly out of this, though given the state of many of their IT systems they would have needed services to become compliant with legal minimum practices).
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
I am going to assume the hospice is in a similar boat we are... and i will explain how its not as simple as the wand waivers above try to make it sound. I'm essentially the brat mentioned above. Small practice with about 7 providers and about 50 machines... Probably 50/50 desktops and laps. we use a shitbox EHR that was shoved down our throats because our old vendor sold the code to the highest bidder to acquire clients. Me and and 3,000 other clients are stuck with a "new" shit product, $100,000 in debt and India to call for "support". we don't have $22k for one line of SQL code. the EHR requires local users to be admins. Mind blowing. A gpo restriction against data to the local renders the box useless. No matter how many learning moments, hand slaps and write ups you have , users will never understand the difference between My Documents and the shared network drive where stuff is supposed to go. Ironically doctors are the worst. I wrote hundreds of pages of HIPAA policy and then tried to figure out how to encrypt and secure 50 xp machines running on aging dell 2350's/3000's and d510's. state hipaa auditor says we need essentially another $100,000 worth of new stuff and encryption. There is zero IT budget. I just yanked all the drives and am pxe booting thinstation to a terminal session. in the follow up, the auditor agreed it satisfies the encryption issue 100%, and she had never heard of that or seen it done but applauded me. There are thousands of office just like me who have no budget and are already drowning in debt from the non-free software rapists. The number one argument you will get from the business owners is no budget. dwindling reimbursements coupled with exponentially expensive responsibilities like this article make for a rough combo. I feel bad for the chaps in bumblefuck Idaho. They are probably barely scraping by, then this... I'd pitch the same solution i used that passed the hipaa audit to any of these other offices out there you might find who need help but can't afford anything else. Pass it on. /$.02