The Security Scrutinizer with Howard Anderson

Powerful Encryption Ammunition

Tale of Two Breaches Illustrates Value
Powerful Encryption Ammunition

Looking for evidence to support increasing your budget for encryption? Share this story with your executive team.

After Sunbridge Healthcare Corp. reported the theft of a laptop containing patients' health information in May, it announced plans to make sure all laptops issued to employees are encrypted.

But guess what? About one month later, the national chain of long-term care and rehab facilities reported the theft of an unencrypted BlackBerry containing patient information. In a statement about that incident, encryption came up again. "The company has encrypted and password-protected all Blackberry personal digital assistants and has reinforced with all the staff the proper protocols required to maintain the security of personal information."

Sunbridge had to report both incidents to those who may have been affected, as well as federal authorities, as required under the HITECH Act. But that would not have been necessary if the devices were encrypted.

Remember, under the HITECH Act interim final breach notification rule, breaches involving information that's encrypted to an appropriate standard don't have to be reported.

Educating executives who control the IT budget at your organization about the "safe harbor" encryption provision is a good idea. But making them aware of what can go wrong if a computer device containing patient information is lost or stolen is an even more powerful way to illustrate the value of encryption.

And the U.S. Department of Health and Human Services' Office for Civil Rights' list of major breaches contains dozens of other examples of incidents involving lost or stolen laptops, PDAs, thumb drives and even desktop PCs.

Reporting breaches is expensive. Sunbridge, for example, is offering those who may have been affected by recent breaches free ID protection services.

Christopher Hourihan, manager of development and programs at the Health Information Trust Alliance, estimates the cost of dealing with the aftermath of all the major breaches reported to federal authorities so far could hit $1 billion. He bases his estimate on the Ponemon Institute's calculation of an average of $204 in costs for every compromised record, across all industries.

Dozens of healthcare information breaches involving the theft of devices. An average cost of $204 for every compromised record. What's it all add up to? Powerful evidence that encryption is a worthwhile investment.

But if you're looking for a way to limit the size of your encryption investment, consider this: Hourihan argues that healthcare organizations should carefully consider just how much patient information, if any, should be stored on portable devices and media or even desktop PCs.

Is it really essential that so many clinicians store patient information on their computer devices? Food for thought.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.