TRENDING:

The Security Scrutinizer with Howard Anderson

Powerful Encryption Ammunition

Tale of Two Breaches Illustrates Value Howard Anderson (ismg_editor) • September 14, 2010    
Powerful Encryption Ammunition

After Sunbridge Healthcare Corp. reported the theft of a laptop containing patients' health information in May, it announced plans to make sure all laptops issued to employees are encrypted.

But guess what? About one month later, the national chain of long-term care and rehab facilities reported the theft of an unencrypted BlackBerry containing patient information. In a statement about that incident, encryption came up again. "The company has encrypted and password-protected all Blackberry personal digital assistants and has reinforced with all the staff the proper protocols required to maintain the security of personal information."

Is it really essential that so many clinicians store patient information on their computer devices? 

Sunbridge had to report both incidents to those who may have been affected, as well as federal authorities, as required under the HITECH Act. But that would not have been necessary if the devices were encrypted.

Remember, under the HITECH Act interim final breach notification rule, breaches involving information that's encrypted to an appropriate standard don't have to be reported.

Educating executives who control the IT budget at your organization about the "safe harbor" encryption provision is a good idea. But making them aware of what can go wrong if a computer device containing patient information is lost or stolen is an even more powerful way to illustrate the value of encryption.

And the U.S. Department of Health and Human Services' Office for Civil Rights' list of major breaches contains dozens of other examples of incidents involving lost or stolen laptops, PDAs, thumb drives and even desktop PCs.

Reporting breaches is expensive. Sunbridge, for example, is offering those who may have been affected by recent breaches free ID protection services.

Christopher Hourihan, manager of development and programs at the Health Information Trust Alliance, estimates the cost of dealing with the aftermath of all the major breaches reported to federal authorities so far could hit $1 billion. He bases his estimate on the Ponemon Institute's calculation of an average of $204 in costs for every compromised record, across all industries.

Dozens of healthcare information breaches involving the theft of devices. An average cost of $204 for every compromised record. What's it all add up to? Powerful evidence that encryption is a worthwhile investment.

But if you're looking for a way to limit the size of your encryption investment, consider this: Hourihan argues that healthcare organizations should carefully consider just how much patient information, if any, should be stored on portable devices and media or even desktop PCs.

Is it really essential that so many clinicians store patient information on their computer devices? Food for thought.



About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Stopping Cloud Workload Attacks
Stopping Cloud Workload Attacks
AI in Healthcare: The Growing Promise - and Potential Risks
AI in Healthcare: The Growing Promise - and Potential Risks
Mapping the Unseen Vulnerabilities of Zombie APIs
Mapping the Unseen Vulnerabilities of Zombie APIs
How Biden's AI Executive Order Will Affect Healthcare
How Biden's AI Executive Order Will Affect Healthcare
Mapping Access - and Attack - Paths in Active Directory
Mapping Access - and Attack - Paths in Active Directory
Why Hospitals Should Beware of Malicious AI Use
Why Hospitals Should Beware of Malicious AI Use
Supporting CISA - The 'Focal Point of Our Defensive Efforts'
Supporting CISA - The 'Focal Point of Our Defensive Efforts'
Israel-Hamas War: 'We All Know Someone That Lost Someone'
Israel-Hamas War: 'We All Know Someone That Lost Someone'
Good Governance: 'It's All Hygiene'
Good Governance: 'It's All Hygiene'
Getting a Tighter Grip on Vendor Security Risk in Healthcare
Getting a Tighter Grip on Vendor Security Risk in Healthcare

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.