HHS Should Require the Encryption of Portable Devices

Many companies use encryption on their portable devices, but the continuing parade of health data breaches demonstrates that too many organizations have yet to do the same. The U.S. Dept. of Health and Human Services (HHS) should consider revising the Security Rule to outright require encryption for portable devices containing the protected health information of 500 or more patients. Setting a floor of 500 patients dovetails with current breach notification reporting requirements and also avoids burdening physicians who want to access the health information of a small number of individuals on, for example, a smart phone. A regulatory requirement like this may have prevented the breach of health data on nearly six million individuals over the past year and a half.

Latest health data breach is severe – Earlier this week, Health Net – a large health insurer – announced a breach of sensitive information on nearly two million people. The breached information includes names, addresses, Social Security numbers, health and financial information. The information was held on hard drives that were likely discovered missing in early February. Not all the details are out yet, but the fact the notification was issued at all makes it unlikely that the drives were protected with encryption. This is a massive breach of information that is about as sensitive as it can get.

Particularly troublingly, this is Health Net’s second big data breach in two years. In 2009, Health Net lost the Social Security numbers and medical information of 1.5 million policyholders. In that case, the information was held on an unencrypted portable drive – contrary to Health Net’s internal policies – and Health Net waited six months before reporting the incident. The Connecticut Office of Attorney General, then led by (now Senator) Richard Blumenthal, sued Health Net on behalf of the nearly half million Connecticut enrollees affected by the breach. Blumenthal was the first to take advantage of a provision in the 2009 HITECH Act that empowered state AGs to enforce HIPAA. The Vermont AG’s Office sued Health Net soon after.

The AGs’ suit against Health Net sought, among other things, a court order that would require Health Net to encrypt any protected health information contained on a portable device. Continue reading…

Related Posts

Building a Distributed, Decentralized Internet – A Roadmap I know that I'm not Patrick, and I don't pretend to speak for anyone but myself here. I just want to say that I share Patrick's belief in the radical ...
Publishers Force Domain Seizure of Public Domain Music Resource IMSLP, the largest public domain music library on the Internet, has just suffered a damaging attack on the site’s infrastructure. In a wrongful action...
ST-Ericsson and Linaro, working towards the first release By ST-Ericcson: Open source has become an important driving force in the smartphone industry and a particularly key area of focus for ST-Ericsson. We...
E-Book Buyer’s Guide to E-Book Privacy With the 2010 holidays upon us, it's time to update EFF's E-Book Buyer's Guide to E-Book Privacy, which summarizes and comments on the privacy-relat...
Who’s watching you? Ahead of terrorist attacks, becoming bankrupt and being attacked in their homes, people are more worried about their online privacy being violated and...
Humanitarian Free and Open Source Software The Relevance of IT for Humanitarian Response The humanitarian response domain aims to help save lives and alleviate human suffering in responding ...

We Recommend These Vendors

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).


Leave a Comment

Your email address will not be published. Required fields are marked *

*