HHS Should Require the Encryption of Portable Devices

Many companies use encryption on their portable devices, but the continuing parade of health data breaches demonstrates that too many organizations have yet to do the same. The U.S. Dept. of Health and Human Services (HHS) should consider revising the Security Rule to outright require encryption for portable devices containing the protected health information of 500 or more patients. Setting a floor of 500 patients dovetails with current breach notification reporting requirements and also avoids burdening physicians who want to access the health information of a small number of individuals on, for example, a smart phone. A regulatory requirement like this may have prevented the breach of health data on nearly six million individuals over the past year and a half.

Latest health data breach is severe – Earlier this week, Health Net – a large health insurer – announced a breach of sensitive information on nearly two million people. The breached information includes names, addresses, Social Security numbers, health and financial information. The information was held on hard drives that were likely discovered missing in early February. Not all the details are out yet, but the fact the notification was issued at all makes it unlikely that the drives were protected with encryption. This is a massive breach of information that is about as sensitive as it can get.

Particularly troublingly, this is Health Net’s second big data breach in two years. In 2009, Health Net lost the Social Security numbers and medical information of 1.5 million policyholders. In that case, the information was held on an unencrypted portable drive – contrary to Health Net’s internal policies – and Health Net waited six months before reporting the incident. The Connecticut Office of Attorney General, then led by (now Senator) Richard Blumenthal, sued Health Net on behalf of the nearly half million Connecticut enrollees affected by the breach. Blumenthal was the first to take advantage of a provision in the 2009 HITECH Act that empowered state AGs to enforce HIPAA. The Vermont AG’s Office sued Health Net soon after.

The AGs’ suit against Health Net sought, among other things, a court order that would require Health Net to encrypt any protected health information contained on a portable device. Continue reading…

Related Posts

Join EFF in Standing up Against Internet Censorship Over the past few weeks, we here at EFF have watched as whistleblowing website WikiLeaks has fueled an emotionally charged debate about the secrecy ...
The Message of Firesheep: “Baaaad Websites, Implement Sitewide HTTPS Now!” The Firesheep Firefox extension has been scaring users across the Internet since its introduction at the Toorcon security conference this past weekend...
How does your package manager handle orphaned packages? The last time I followed a distribution's suggestion to remove some packages that were no longer needed, I completely hosed the system. Could not use ...
No double standards: supporting Google’s push for WebM We've signed up as a supporter of the WebM Project, and we encourage other foundations and organizations to join us—write to webmaster @@@ webmproj...
BitMate: A BitTorrent Client for Poor Bandwidth People itTorrent is an excellent tool for sharing large files online, which is why millions of people use it every day. In developing third world countries, ...
Neuroprivilogy: The New Frontier of Cyber Crime The first step of this discussion is defining a fancy term to help educate and describe this new phenomenon: Neuroprivilogy. As the name suggests Ne...

We Recommend These Vendors and Free Offers

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.


Leave a Comment

Your email address will not be published. Required fields are marked *

*