ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Local Encryption ... Why Not?

    Scheduled Pinned Locked Moved IT Discussion
    357 Posts 15 Posters 190.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • StrongBadS
      StrongBad @BRRABill
      last edited by

      @BRRABill said:

      If they are NOT allowed to access the data as part of their job, it is a breach in and of itself. Our policy dictates strict penalties for such a thing, and varies by levels ranging from a total mistake on their part to malicious theft of the data.

      Is misuse of data not a breach - even if the person is allowed to have access to it? A bank manager has access to money, but he isn't allowed to take it home.

      BRRABillB 1 Reply Last reply Reply Quote 0
      • BRRABillB
        BRRABill
        last edited by

        BTW:

        I contacted Wave and asked if their software (or the drives they support) has any sort of lockout period.

        They do not.

        So if you happen to steal my laptop and take out the drive, you could theoretically sit and manually guess my password until the cows come home. Maybe one day you'll get it.

        Even with that, I'd still like to know how this system provides the illusion of security.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • BRRABillB
          BRRABill @StrongBad
          last edited by

          @StrongBad said:

          But if putting data ON the machine is their decision and they were not allowed to do it, isn't that itself the breach? Or if you need an additional step, the breach is theirs not yours?

          OCR can go after individuals as well, if they were malicious in their intent. However, the employer would also be fined as it is their responsibility to protect the data.

          I guess employers could sue the employee to recover the fine.

          http://www.beckershospitalreview.com/healthcare-information-technology/how-employers-can-avoid-hefty-hipaa-violations.html

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • BRRABillB
            BRRABill @StrongBad
            last edited by

            @StrongBad said:

            Is misuse of data not a breach - even if the person is allowed to have access to it? A bank manager has access to money, but he isn't allowed to take it home.

            Misuse would require an assessment to be done. It would then be determined whether or not it was a breach.

            Usually if it stayed in-house it would not be a breach. If you saw your neighbor in the office, looked up he was being treated for something unsavory, and then told his wife, that would be a breach.

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @BRRABill
              last edited by

              @BRRABill said:

              BTW:

              I contacted Wave and asked if their software (or the drives they support) has any sort of lockout period.

              They do not.

              So if you happen to steal my laptop and take out the drive, you could theoretically sit and manually guess my password until the cows come home. Maybe one day you'll get it.

              Even with that, I'd still like to know how this system provides the illusion of security.

              Well.... it makes you feel like you are reasonably secure to a minimum level, right? That is the illusion.

              BRRABillB 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @BRRABill
                last edited by

                @BRRABill said:

                @StrongBad said:

                But if putting data ON the machine is their decision and they were not allowed to do it, isn't that itself the breach? Or if you need an additional step, the breach is theirs not yours?

                OCR can go after individuals as well, if they were malicious in their intent. However, the employer would also be fined as it is their responsibility to protect the data.

                I guess employers could sue the employee to recover the fine.

                http://www.beckershospitalreview.com/healthcare-information-technology/how-employers-can-avoid-hefty-hipaa-violations.html

                Employers are NOT required to protect the data. They are only required to provide reasonable protection attempts. An authorized user with appropriate use deciding to misuse or steal data by putting it on their desktop would be no different than any theft. Are you saying that if any employee at your customers now just grabbed data that they were using and ran out the door with it that you would be fined for having been compromised even though no security of yours was compromised?

                BRRABillB 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @BRRABill
                  last edited by

                  @BRRABill said:

                  @StrongBad said:

                  Is misuse of data not a breach - even if the person is allowed to have access to it? A bank manager has access to money, but he isn't allowed to take it home.

                  Misuse would require an assessment to be done. It would then be determined whether or not it was a breach.

                  Usually if it stayed in-house it would not be a breach. If you saw your neighbor in the office, looked up he was being treated for something unsavory, and then told his wife, that would be a breach.

                  Wouldn't it be a breach the moment that someone took data and removed it from the allowed security system and exposed it? It may not have been used maliciously yet. But it has been taken already. It sounds like you only consider it a breach once it has been misused, not just when it has been removed.

                  Similar to saying a bank isn't robbed when the money is stolen, only when the stolen money is used to buy things.

                  BRRABillB 1 Reply Last reply Reply Quote 0
                  • BRRABillB
                    BRRABill @scottalanmiller
                    last edited by

                    @scottalanmiller said:

                    Well.... it makes you feel like you are reasonably secure to a minimum level, right? That is the illusion.

                    I feel much more than minimally secure.

                    Are you that certain someone can hack my SED?

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • BRRABillB
                      BRRABill @scottalanmiller
                      last edited by

                      @scottalanmiller said:

                      Employers are NOT required to protect the data. They are only required to provide reasonable protection attempts. An authorized user with appropriate use deciding to misuse or steal data by putting it on their desktop would be no different than any theft. Are you saying that if any employee at your customers now just grabbed data that they were using and ran out the door with it that you would be fined for having been compromised even though no security of yours was compromised?

                      Employee "steals" data from their local hospital they are not allowed to have access to and puts it on a USB drive.
                      USB drive get stolen.
                      Local newspaper finds out about the PHI on the USB drive, does story.
                      OCR goes after ... the thief, you say? The hospital is in the clear?

                      DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                      • BRRABillB
                        BRRABill @scottalanmiller
                        last edited by

                        @scottalanmiller said:

                        Wouldn't it be a breach the moment that someone took data and removed it from the allowed security system and exposed it? It may not have been used maliciously yet. But it has been taken already. It sounds like you only consider it a breach once it has been misused, not just when it has been removed.

                        Similar to saying a bank isn't robbed when the money is stolen, only when the stolen money is used to buy things.

                        Legal words:
                        A breach of protected health information (“PHI”) is defined as the acquisition, access, use, or disclosure of unsecured PHI, in a manner not permitted by HIPAA, which poses a significant risk of financial, reputational, or other harm to the affected individual.7 Parsing this definition into its components, there must be: (1) an access to, or use or disclosure of unsecured PHI; (2) a use, access or disclosure that violates the “Privacy Rule” ( i.e., Subpart E of 45 C.F.R. 164); (3) a significant risk that such access, use or disclosure will cause financial, reputational, or other harm to the patient; and (4) no exceptions that apply.

                        If the data doesn't leave the building, no harm done.

                        If someone's ex looks up information on whether someone has an STD, and tells people about it. Harm has been done. (True story.)

                        In your bank robbing example, it would be like if they rob the bank, but leave the money there. Or like someone just put the money in the wrong place, but it never actually got stolen.

                        DashrenderD scottalanmillerS 3 Replies Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @BRRABill
                          last edited by

                          @BRRABill said:

                          @scottalanmiller said:

                          Employers are NOT required to protect the data. They are only required to provide reasonable protection attempts. An authorized user with appropriate use deciding to misuse or steal data by putting it on their desktop would be no different than any theft. Are you saying that if any employee at your customers now just grabbed data that they were using and ran out the door with it that you would be fined for having been compromised even though no security of yours was compromised?

                          Employee "steals" data from their local hospital they are not allowed to have access to and puts it on a USB drive.
                          USB drive get stolen.
                          Local newspaper finds out about the PHI on the USB drive, does story.
                          OCR goes after ... the thief, you say? The hospital is in the clear?

                          The hospital should be in the clear. Assuming a few things of course. The employee had reasons to have access to the data in the first place, and the hospital has policies that state that users can't copy data on to memory sticks.

                          BRRABillB 1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @BRRABill
                            last edited by

                            @BRRABill said:

                            If the data doesn't leave the building, no harm done.

                            I don't agree with this. Once the employee has the data, the breach has happened. Because the employee has broken the rules and copied the data someplace it's not suppose to be. The employee is the breach.

                            BRRABillB scottalanmillerS 3 Replies Last reply Reply Quote 1
                            • BRRABillB
                              BRRABill @Dashrender
                              last edited by

                              @Dashrender said:

                              I don't agree with this. Once the employee has the data, the breach has happened. Because the employee has broken the rules and copied the data someplace it's not suppose to be. The employee is the breach.

                              There is a breach in the simplest definition of the word. But it might not be a HIPAA violation.

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • BRRABillB
                                BRRABill @Dashrender
                                last edited by

                                @Dashrender said:

                                The hospital should be in the clear. Assuming a few things of course. The employee had reasons to have access to the data in the first place, and the hospital has policies that state that users can't copy data on to memory sticks.

                                They would still have to report the breach, including to the media.

                                And be investigated by the OCR.

                                And hope, as you said, they had covered all these things in the documentation and training. And REALLY hope they hadn't already been warned about it.

                                DashrenderD 1 Reply Last reply Reply Quote 0
                                • BRRABillB
                                  BRRABill @Dashrender
                                  last edited by

                                  @Dashrender said:

                                  I don't agree with this. Once the employee has the data, the breach has happened. Because the employee has broken the rules and copied the data someplace it's not suppose to be. The employee is the breach.

                                  I don't agree with your disagreement. 🙂

                                  The employee should NEVER been given access to the data. That would definitely be considered a breach.

                                  DashrenderD 1 Reply Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender @BRRABill
                                    last edited by

                                    @BRRABill said:

                                    @Dashrender said:

                                    The hospital should be in the clear. Assuming a few things of course. The employee had reasons to have access to the data in the first place, and the hospital has policies that state that users can't copy data on to memory sticks.

                                    They would still have to report the breach, including to the media.

                                    And be investigated by the OCR.

                                    And hope, as you said, they had covered all these things in the documentation and training. And REALLY hope they hadn't already been warned about it.

                                    In this situation if the hospital knew that this employee did in fact download this against company policy.. i think they'd have no choice but to report it, legally. Assuming they discovered is as soon as it happened, they could also report that the data was never at large risk, but the report I would think legally would still need to be made.

                                    BRRABillB scottalanmillerS 2 Replies Last reply Reply Quote 0
                                    • BRRABillB
                                      BRRABill @Dashrender
                                      last edited by

                                      @Dashrender said:

                                      In this situation if the hospital knew that this employee did in fact download this against company policy.. i think they'd have no choice but to report it, legally. Assuming they discovered is as soon as it happened, they could also report that the data was never at large risk, but the report I would think legally would still need to be made.

                                      It has been my understanding that this is up to the compliance team.

                                      For example, if the drive was lost, but was lost while swimming, it could be assumed the data was lost. Or the laptop is gone, but was destroyed in a fire or something.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @BRRABill
                                        last edited by

                                        @BRRABill said:

                                        @Dashrender said:

                                        I don't agree with this. Once the employee has the data, the breach has happened. Because the employee has broken the rules and copied the data someplace it's not suppose to be. The employee is the breach.

                                        I don't agree with your disagreement. 🙂

                                        The employee should NEVER been given access to the data. That would definitely be considered a breach.

                                        This is the problem I was talking about before.

                                        Let's say your a nurse in Chicago, the same hospital that Michael Jordon goes to. other than the hospital putting special locks in place for celebrities, all medical staff in that hospital have access to his records. This is the common approach, and I have yet to see a single place do it differently.

                                        BRRABillB scottalanmillerS 2 Replies Last reply Reply Quote 0
                                        • BRRABillB
                                          BRRABill @Dashrender
                                          last edited by

                                          @Dashrender said:

                                          This is the problem I was talking about before.

                                          Let's say your a nurse in Chicago, the same hospital that Michael Jordon goes to. other than the hospital putting special locks in place for celebrities, all medical staff in that hospital have access to his records. This is the common approach, and I have yet to see a single place do it differently.

                                          It's a training/HR issue.

                                          There would still be a reportable breach, but it might not incur a HIPAA fine.

                                          Actually, if it is just him, it's not a reportable breach.

                                          1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @BRRABill
                                            last edited by

                                            @BRRABill said:

                                            @scottalanmiller said:

                                            Well.... it makes you feel like you are reasonably secure to a minimum level, right? That is the illusion.

                                            I feel much more than minimally secure.

                                            Are you that certain someone can hack my SED?

                                            Well yes, I'm decently confident. But more importantly, why are you so certain that they cannot?

                                            BRRABillB 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 8
                                            • 9
                                            • 10
                                            • 11
                                            • 12
                                            • 17
                                            • 18
                                            • 10 / 18
                                            • First post
                                              Last post