Commentary

HHS Should Require the Encryption of Portable Devices

Many companies use encryption on their portable devices, but the continuing parade of health data breaches demonstrates that too many organizations have yet to do the same. The U.S. Dept. of Health and Human Services (HHS) should consider revising the Security Rule to outright require encryption for portable devices containing the protected health information of 500 or more patients. Setting a floor of 500 patients dovetails with current breach notification reporting requirements and also avoids burdening physicians who want to access the health information of a small number of individuals on, for example, a smart phone. A regulatory requirement like this may have prevented the breach of health data on nearly six million individuals over the past year and a half.

Latest health data breach is severe – Earlier this week, Health Net – a large health insurer – announced a breach of sensitive information on nearly two million people. The breached information includes names, addresses, Social Security numbers, health and financial information. The information was held on hard drives that were likely discovered missing in early February. Not all the details are out yet, but the fact the notification was issued at all makes it unlikely that the drives were protected with encryption. This is a massive breach of information that is about as sensitive as it can get.

Particularly troublingly, this is Health Net’s second big data breach in two years. In 2009, Health Net lost the Social Security numbers and medical information of 1.5 million policyholders. In that case, the information was held on an unencrypted portable drive – contrary to Health Net’s internal policies – and Health Net waited six months before reporting the incident. The Connecticut Office of Attorney General, then led by (now Senator) Richard Blumenthal, sued Health Net on behalf of the nearly half million Connecticut enrollees affected by the breach. Blumenthal was the first to take advantage of a provision in the 2009 HITECH Act that empowered state AGs to enforce HIPAA. The Vermont AG’s Office sued Health Net soon after.

The AGs’ suit against Health Net sought, among other things, a court order that would require Health Net to encrypt any protected health information contained on a portable device. Continue reading…

Related Posts

EFF Brief: “Privacy” Protections for Corporations Undermines Government Transp... EFF and a coalition of public interest groups urged the U.S. Supreme Court in an amicus brief Tuesday to reject so-called "privacy" protections for co...
Location, Location, Location: Three Recent Court Controversies on Cell Phone & GPS Tr... Welcome to the 21st century, where we all carry tracking devices in our pockets and where one morning you might find an FBI-installed GPS tracking dev...
ST-Ericsson and Linaro, working towards the first release By ST-Ericcson: Open source has become an important driving force in the smartphone industry and a particularly key area of focus for ST-Ericsson. We...
Apps is the new Web: sowing the seeds for Web 3.0 Billions of downloads. That’s how the success of software platforms is measured today. And while downloads is not a currency (it does not necessarily ...
Common Sense and Security: Body Scanners, Accountability, and $2.4 Billion Worth of Securi... The Transportation Security Administration is feeling public heat these days over its combination of whole-body-image scanners and heavy-handed pat-do...
The Open Source trials: hanging in the legal balance of copyright and copyleft For those meddling in open source software affairs, compliance with licenses is a very hot topic. In the last 2 years we have witnessed the licensing ...

We Recommend These Vendors and Free Offers

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.


Leave a Comment

Your email address will not be published. Required fields are marked *

*