HHS Should Require the Encryption of Portable Devices

Many companies use encryption on their portable devices, but the continuing parade of health data breaches demonstrates that too many organizations have yet to do the same. The U.S. Dept. of Health and Human Services (HHS) should consider revising the Security Rule to outright require encryption for portable devices containing the protected health information of 500 or more patients. Setting a floor of 500 patients dovetails with current breach notification reporting requirements and also avoids burdening physicians who want to access the health information of a small number of individuals on, for example, a smart phone. A regulatory requirement like this may have prevented the breach of health data on nearly six million individuals over the past year and a half.

Latest health data breach is severe – Earlier this week, Health Net – a large health insurer – announced a breach of sensitive information on nearly two million people. The breached information includes names, addresses, Social Security numbers, health and financial information. The information was held on hard drives that were likely discovered missing in early February. Not all the details are out yet, but the fact the notification was issued at all makes it unlikely that the drives were protected with encryption. This is a massive breach of information that is about as sensitive as it can get.

Particularly troublingly, this is Health Net’s second big data breach in two years. In 2009, Health Net lost the Social Security numbers and medical information of 1.5 million policyholders. In that case, the information was held on an unencrypted portable drive – contrary to Health Net’s internal policies – and Health Net waited six months before reporting the incident. The Connecticut Office of Attorney General, then led by (now Senator) Richard Blumenthal, sued Health Net on behalf of the nearly half million Connecticut enrollees affected by the breach. Blumenthal was the first to take advantage of a provision in the 2009 HITECH Act that empowered state AGs to enforce HIPAA. The Vermont AG’s Office sued Health Net soon after.

The AGs’ suit against Health Net sought, among other things, a court order that would require Health Net to encrypt any protected health information contained on a portable device. Continue reading…

Related Posts

Extend the Enterprise into the Cloud with Single Sign-On to Cloud-Based services In this blog post we examine how Single Sign-On from the enterprise to Cloud-based services is enabled. Single Sign-On is a critical component for any...
Join EFF in Standing up Against Internet Censorship Over the past few weeks, we here at EFF have watched as whistleblowing website WikiLeaks has fueled an emotionally charged debate about the secrecy ...
MasterCard’s Support for COICA Threatens A Free And Open Internet In the last months of 2010, the WikiLeaks wars reminded transparency activists of something copyright and trademark lawyers know all too well – online...
Android App Permissions Dissected Based on our recent research and feedback from our users, we know that Android permissions can sometimes be confusing. Often it is hard to tell what d...
Humanitarian Free and Open Source Software The Relevance of IT for Humanitarian Response The humanitarian response domain aims to help save lives and alleviate human suffering in responding ...
Benefits of the MeeGo Software Platform The MeeGo open source project is unique in that it offers benefits to everyone in the ecosystem starting from the developer all the way up to the oper...

We Recommend These Vendors and Free Offers

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.


Leave a Comment

Your email address will not be published. Required fields are marked *

*