Archive for Encryption
The National Cybersecurity Center of Excellence (NCCoE) is publishing a new series of guides to show healthcare professionals and organizations how to improve their cybersecurity measures to protect health information systems with standards-based, commercially available, or open-source tools.
The NCCoE released a draft version of the first guide in the series, “Securing Electronic Records on Mobile Devices,” July 23 for public comment. The step-by-step guide demonstrates how to use smartphones or tablets for patient care without spreading sensitive data across the digital stratosphere.
A California hospital network that agreed to a $4.13 million settlement to a class-action lawsuit for exposing the PHI of more than 32,000 patients is now getting push back from its liability insurance provider about paying the claims.
In December 2013, it was discovered the health system and a third-party vendor, InSync, stored patients’ unencrypted electronic medical records on a database accessible to the Internet. So, potentially, patients’ PHI could have showed up in an online search engine for the world to see. There was no evidence that actually happened at the time, but Cottage Health had to notify 32,755 patients there PHI may have been publicly exposed.
The health system then agreed to settle a class-action lawsuit brought by the patients. Chicago-based Columbia Casualty Company, Cottage Health’s liability insurer, paid the bill but then filed a complaint in federal court in May 2015, seeking repayment of the insurance claims.
A password-protected unencrypted laptop containing the PHI of approximately 8,000 patients was reported missing from Riverside County Regional Medical Center in Moreno Valley, California, according to The Press Enterprise.
A breach notification letter sent to affected patients states that the medical center learned December 1, 2014, about the missing laptop that was used by its ophthalmology and dermatology clinics. This is the second time in less than a year that the medical center reported a missing laptop, according to The Press Enterprise.
The medical center notified law enforcement and began its own internal investigation, but was unable to find the laptop at the time of the January 29, 2015 letter, which states that the laptop may have contained the following patient information:
- Dates of birth
- Telephone numbers
- Social Security numbers
- Treating physician or department
- Diagnosis and treatment information
- Medical record number
- Medical service code
- Health insurance information
The medical center does not believe the laptop was taken in an effort to access or misuse patient information. However, it is offering identity protection alerts for affected patients, according to the letter.
Submit your HIPAA questions to Editor Jaclyn Fitzgerald at firstname.lastname@example.org and we will work with our experts to provide the information you need.
Q. I realize that when determining whether a breach is reportable, an organization must determine whether the ePHI was secure. However, if a covered entity or business associate uses encryption to secure ePHI contained in zipped encrypted archives that are then sent via email, must the method of encryption be Federal Information Processing Standard compliant to obtain safe harbor?
A. If the zip file is encrypted at the level set by the National Institute of Standards and Technology (NIST) and the password for unencrypting the zip file is not sent in the same email, it falls within the NIST safe harbor. Generally if a file is encrypted at 128 bits, it meets the safe harbor standard. Ensuring that the file compression software used meets the NIST standard is a good idea. If the software does not meet this standard, it may lead to a reportable breach.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.