HHS Should Require the Encryption of Portable Devices

Many companies use encryption on their portable devices, but the continuing parade of health data breaches demonstrates that too many organizations have yet to do the same. The U.S. Dept. of Health and Human Services (HHS) should consider revising the Security Rule to outright require encryption for portable devices containing the protected health information of 500 or more patients. Setting a floor of 500 patients dovetails with current breach notification reporting requirements and also avoids burdening physicians who want to access the health information of a small number of individuals on, for example, a smart phone. A regulatory requirement like this may have prevented the breach of health data on nearly six million individuals over the past year and a half.

Latest health data breach is severe – Earlier this week, Health Net – a large health insurer – announced a breach of sensitive information on nearly two million people. The breached information includes names, addresses, Social Security numbers, health and financial information. The information was held on hard drives that were likely discovered missing in early February. Not all the details are out yet, but the fact the notification was issued at all makes it unlikely that the drives were protected with encryption. This is a massive breach of information that is about as sensitive as it can get.

Particularly troublingly, this is Health Net’s second big data breach in two years. In 2009, Health Net lost the Social Security numbers and medical information of 1.5 million policyholders. In that case, the information was held on an unencrypted portable drive – contrary to Health Net’s internal policies – and Health Net waited six months before reporting the incident. The Connecticut Office of Attorney General, then led by (now Senator) Richard Blumenthal, sued Health Net on behalf of the nearly half million Connecticut enrollees affected by the breach. Blumenthal was the first to take advantage of a provision in the 2009 HITECH Act that empowered state AGs to enforce HIPAA. The Vermont AG’s Office sued Health Net soon after.

The AGs’ suit against Health Net sought, among other things, a court order that would require Health Net to encrypt any protected health information contained on a portable device. Continue reading…

LinuxBSDos needs your donation to continue!

I hope this article has saved you valuable time and effort to fix a problem that would have taken more time than is necessary. That makes me happy, and why I love doing this. But because more people than ever are reading articles like this with an adblocker, ad revenues have fallen to a level that's not enough to cover my operating costs. That's why I want to ask you a favor: To make a one-time or recurring donation to support this site and keep it going. It's a small favor, but every one counts. And you can make your donation using Patreon or directly via Paypal. Thank you for whatever donation you're able to make.

Donate via Patreon. Donate via Paypal.

Aside from donation, you may also signup to receive an email once I publish new content. Your email will not be shared or traded to anyone. And you can unsubscribe at any time.

Please share:

We Recommend These Vendors and Free Offers

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.

Leave a Comment

Your email address will not be published. Required fields are marked *