ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Local Encryption ... Why Not?

    Scheduled Pinned Locked Moved IT Discussion
    357 Posts 15 Posters 190.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Dashrender
      last edited by

      @Dashrender said:

      @BRRABill said:

      If the data doesn't leave the building, no harm done.

      I don't agree with this. Once the employee has the data, the breach has happened. Because the employee has broken the rules and copied the data someplace it's not suppose to be. The employee is the breach.

      Exactly. Harm is done once data is exposed. Breach means... breach. The data is no longer controlled by the parties allowed to have access to it.

      BRRABillB 1 Reply Last reply Reply Quote 0
      • BRRABillB
        BRRABill @scottalanmiller
        last edited by

        @scottalanmiller said:

        Exactly. Harm is done once data is exposed. Breach means... breach. The data is no longer controlled by the parties allowed to have access to it.

        Technically if anyone sees data they aren't supposed to, it is a breach.

        Nurse forgets to lock her workstation, and the food delivery person sees it. Breach.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @BRRABill
          last edited by

          @BRRABill said:

          Legal words:
          A breach of protected health information (“PHI”) is defined as the acquisition, access, use, or disclosure of unsecured PHI, in a manner not permitted by HIPAA, which poses a significant risk of financial, reputational, or other harm to the affected individual.7 Parsing this definition into its components, there must be: (1) an access to, or use or disclosure of unsecured PHI; (2) a use, access or disclosure that violates the “Privacy Rule” ( i.e., Subpart E of 45 C.F.R. 164); (3) a significant risk that such access, use or disclosure will cause financial, reputational, or other harm to the patient; and (4) no exceptions that apply.

          1: Access. The moment the data is moved, there is access.
          2: Once it is moved, again, it has been accessed
          3: Any access poses such a risk
          4: No Exception to the above.

          To me, the example I have, is unquestionably a breach. If your user puts data on a laptop without permission, it's a breach by HIPAA regulations.

          BRRABillB 1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @BRRABill
            last edited by

            @BRRABill said:

            @scottalanmiller said:

            No, it's stolen. In ANY non HIPAA sense, once a thief has taken the data, it's stolen and is a breach. Maybe HIPAA does a cover up to protect facilities until a breach has become a detriment to an end user. This is just how corrupt the government is that they stop the use of terms like breach to hide that data has been stolen and exposure has happened but "nothing bad" with it has happened, that's just lying. And fine, maybe no HIPAA suit can happen. The facility would still be open to a civil suit, which should be far worse.

            I think this was in response to if an employees just stumbles across something they weren't supposed to.

            Technically a breach, but not reportable.

            Not a full on theft or malicious intent.

            I'm not really sure how that happens? The user just happened to have a USB drive plugged in? they just happened to accidentally choose a large number of patient files, and accidentally copied them to the USB stick?

            That's to many accidents for me.

            1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @BRRABill
              last edited by

              @BRRABill said:

              @Dashrender said:

              I don't agree with this. Once the employee has the data, the breach has happened. Because the employee has broken the rules and copied the data someplace it's not suppose to be. The employee is the breach.

              There is a breach in the simplest definition of the word. But it might not be a HIPAA violation.

              But it meets all qualifications. All medical data poses significant risk. Any access meets the 1/2 requirements. 4 says no exceptions. So it's a HIPAA violation by the legal wording every time.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Dashrender
                last edited by

                @Dashrender said:

                @BRRABill said:

                @Dashrender said:

                The hospital should be in the clear. Assuming a few things of course. The employee had reasons to have access to the data in the first place, and the hospital has policies that state that users can't copy data on to memory sticks.

                They would still have to report the breach, including to the media.

                And be investigated by the OCR.

                And hope, as you said, they had covered all these things in the documentation and training. And REALLY hope they hadn't already been warned about it.

                In this situation if the hospital knew that this employee did in fact download this against company policy.. i think they'd have no choice but to report it, legally. Assuming they discovered is as soon as it happened, they could also report that the data was never at large risk, but the report I would think legally would still need to be made.

                Exactly. Any non-immediate reporting would be "covering up" a known breach.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @BRRABill
                  last edited by

                  @BRRABill said:

                  @Dashrender said:

                  In this situation if the hospital knew that this employee did in fact download this against company policy.. i think they'd have no choice but to report it, legally. Assuming they discovered is as soon as it happened, they could also report that the data was never at large risk, but the report I would think legally would still need to be made.

                  It has been my understanding that this is up to the compliance team.

                  For example, if the drive was lost, but was lost while swimming, it could be assumed the data was lost. Or the laptop is gone, but was destroyed in a fire or something.

                  I don't see any allowance for that. The breach happened. I think that you are not considering the breach to have happened. By the time that the laptop was lost, we are past the point of the breach and the need to report it. Sure, they might get away with it given the situation, but they are skirting the law and getting away with a breach, not avoiding a breach.

                  BRRABillB 1 Reply Last reply Reply Quote 0
                  • BRRABillB
                    BRRABill @scottalanmiller
                    last edited by

                    @scottalanmiller said:

                    4: No Exception to the above.

                    It said no exceptions apply, not that there were no exceptions to #1-3

                    DashrenderD 1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @BRRABill
                      last edited by

                      @BRRABill said:

                      @scottalanmiller said:

                      4: No Exception to the above.

                      It said no exceptions apply, not that there were no exceptions to #1-3

                      meaning, assuming not exceptions apply

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said:

                        @BRRABill said:

                        @Dashrender said:

                        I don't agree with this. Once the employee has the data, the breach has happened. Because the employee has broken the rules and copied the data someplace it's not suppose to be. The employee is the breach.

                        I don't agree with your disagreement. 🙂

                        The employee should NEVER been given access to the data. That would definitely be considered a breach.

                        This is the problem I was talking about before.

                        Let's say your a nurse in Chicago, the same hospital that Michael Jordon goes to. other than the hospital putting special locks in place for celebrities, all medical staff in that hospital have access to his records. This is the common approach, and I have yet to see a single place do it differently.

                        Although any hospital can lock that down. That they choose to expose data in a way that IT would never do is their choice. It's just that medical professionals don't hold themselves to the same standards at their "best" than IT does at "entry point."

                        The common approach for hospitals is to be insecure, unprofessional and sloppy. Doesn't make it right.

                        DashrenderD 1 Reply Last reply Reply Quote 1
                        • scottalanmillerS
                          scottalanmiller @BRRABill
                          last edited by

                          @BRRABill said:

                          @scottalanmiller said:

                          That's what I am saying, yes. If the hospital secured the data and the end user stole it while having legitimate access that could not be prevented then the OCR could do nothing.

                          They still need to report the breach and get all sorts of legal, IT, and compliance teams involved though.

                          And the OCR would still investigate.

                          And like I said, they better hope they really did indeed secure it.

                          Why? The issue is the theft, not the security.

                          BRRABillB 1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @scottalanmiller
                            last edited by Dashrender

                            @scottalanmiller said:

                            Although any hospital can lock that down. That they choose to expose data in a way that IT would never do is their choice. It's just that medical professionals don't hold themselves to the same standards at their "best" than IT does at "entry point."

                            The common approach for hospitals is to be insecure, unprofessional and sloppy. Doesn't make it right.

                            I'd love to hear an idea of a way to lock this down.

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @BRRABill
                              last edited by

                              @BRRABill said:

                              @scottalanmiller said:

                              No, it's stolen. In ANY non HIPAA sense, once a thief has taken the data, it's stolen and is a breach. Maybe HIPAA does a cover up to protect facilities until a breach has become a detriment to an end user. This is just how corrupt the government is that they stop the use of terms like breach to hide that data has been stolen and exposure has happened but "nothing bad" with it has happened, that's just lying. And fine, maybe no HIPAA suit can happen. The facility would still be open to a civil suit, which should be far worse.

                              I think this was in response to if an employees just stumbles across something they weren't supposed to.

                              Technically a breach, but not reportable.

                              Not a full on theft or malicious intent.

                              But we were talking about an employee stealing data by taking it from a system where it is protected and moving it by their own choice and against policy to an end point where they are not allowed to - committing a theft of the data (even though it is still, at the moment, on potentially hospital owned equipment.) They've committed the theft. Whether they are doing it because they are lazy or plan to sell it, it's a breach of policy, a breach of patient rights, a breach of data, a breach of HIPAA, a breach of trust.

                              1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @BRRABill
                                last edited by

                                @BRRABill said:

                                @scottalanmiller said:

                                Exactly. Harm is done once data is exposed. Breach means... breach. The data is no longer controlled by the parties allowed to have access to it.

                                Technically if anyone sees data they aren't supposed to, it is a breach.

                                Nurse forgets to lock her workstation, and the food delivery person sees it. Breach.

                                Yup. that's one by accident, but absolutely.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said:

                                  @scottalanmiller said:

                                  Although any hospital can lock that down. That they choose to expose data in a way that IT would never do is their choice. It's just that medical professionals don't hold themselves to the same standards at their "best" than IT does at "entry point."

                                  The common approach for hospitals is to be insecure, unprofessional and sloppy. Doesn't make it right.

                                  I'd love to hear an idea of a way to lock this down.

                                  Same way we do for anything in IT. Think about a ticket system. You only get access to tickets you or your department are working on, not all tickets. Nurses probably can't be locked to a single patient, but they can be easily locked to patients on their floor, under their care, in their department, working with a doctor to whom a nurse is assigned, etc. It's just the concept of least privilege access.

                                  Hospitals, we assume, know who is to work where. It's not a free for all with no oversight. We should know what doctors, nurses and techs should have access to which patients.

                                  1 Reply Last reply Reply Quote 0
                                  • BRRABillB
                                    BRRABill @scottalanmiller
                                    last edited by

                                    @scottalanmiller said:

                                    I don't see any allowance for that. The breach happened. I think that you are not considering the breach to have happened. By the time that the laptop was lost, we are past the point of the breach and the need to report it. Sure, they might get away with it given the situation, but they are skirting the law and getting away with a breach, not avoiding a breach.

                                    Not every breach needs to be reported. That is what legal and compliance teams are for.

                                    For example, the SED. If you lose a laptop that in encrypted to their standards, it is exempt from reporting requirements.

                                    “Covered entities and business associates that implement the specified technologies and methodologies with respect to protected health information are not required to provide notifications in the event of a breach of such information–that is, the information is not considered ‘unsecured’ in such cases. ” [78 Federal Register 5639] Finally, “[w]e encourage covered entities and business associates to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other protected health information pursuant to the Guidance. If protected health information is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use or disclosure of the information.”

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • BRRABillB
                                      BRRABill @scottalanmiller
                                      last edited by

                                      @scottalanmiller said:

                                      Why? The issue is the theft, not the security.

                                      Because it is a breach and breaches over 500 records need to be reported, or at least investigated to be reported.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @BRRABill
                                        last edited by

                                        @BRRABill said:

                                        @scottalanmiller said:

                                        I don't see any allowance for that. The breach happened. I think that you are not considering the breach to have happened. By the time that the laptop was lost, we are past the point of the breach and the need to report it. Sure, they might get away with it given the situation, but they are skirting the law and getting away with a breach, not avoiding a breach.

                                        Not every breach needs to be reported. That is what legal and compliance teams are for.

                                        For example, the SED. If you lose a laptop that in encrypted to their standards, it is exempt from reporting requirements.

                                        “Covered entities and business associates that implement the specified technologies and methodologies with respect to protected health information are not required to provide notifications in the event of a breach of such information–that is, the information is not considered ‘unsecured’ in such cases. ” [78 Federal Register 5639] Finally, “[w]e encourage covered entities and business associates to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other protected health information pursuant to the Guidance. If protected health information is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use or disclosure of the information.”

                                        I don't agree. If someone has downloaded without permission to the laptop, encryption or not, the data is stolen and out of the hospital's control. You are talking about cases where the data was allowed to be there, we are talking about where "there" is the transfer point of an ongoing theft.

                                        HIPAA might protect you in the case of this and help with a cover up - but your facility is still going to get destroyed by the media if that data gets released and no one will care that the laptop was "encrypted", only that you allowed data to leave the facility.

                                        BRRABillB 1 Reply Last reply Reply Quote 1
                                        • scottalanmillerS
                                          scottalanmiller @BRRABill
                                          last edited by

                                          @BRRABill said:

                                          @scottalanmiller said:

                                          Why? The issue is the theft, not the security.

                                          Because it is a breach and breaches over 500 records need to be reported, or at least investigated to be reported.

                                          Yes, but the theft was not related to your security. What's there to investigate? Has nothing to do with IT.

                                          1 Reply Last reply Reply Quote 0
                                          • BRRABillB
                                            BRRABill
                                            last edited by

                                            I don't think the breaches comes from doctor and nurses. If you look at the data, it seems to me to be the behind the scenes people.

                                            Look at his. Puch.
                                            Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives.

                                            scottalanmillerS 2 Replies Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 9
                                            • 10
                                            • 11
                                            • 12
                                            • 13
                                            • 17
                                            • 18
                                            • 11 / 18
                                            • First post
                                              Last post