Bad enough that robbers were stealing a laptop and a cell phone from a physician, but in a unique incident, the assailants forced the physician to disclose the password and encryption keys to the encrypted data in the laptop. Even as enterprises work their way to protect their data from cyber criminals, unique incidents such as the reported case of armed robbery at the Brigham and Women’s Hospital campus show cases how data breaches can result from forceful mechanisms.
From the initial investigation, it appears that the devices included information of around 1,000 patients including patient names and perhaps medical record number, age, medications and information about diagnosis and treatment, who were treated at the hospital’s neurology and neurosurgery programs between October 2011 and September 2014.
In spite of the fact that the data in the stolen devices were encrypted, this was a reportable incident to HHS, as a risk analysis and vulnerability assessment would have established the high risk of storing PHI data on portable devices, although remote wiping of data could be possible. Lost or stolen unencrypted devices have been the primary cause of breaches listed by HHS’ ‘Wall of Shame’. The Brigham and Women’s Hospital had earlier in 2011 lost an unencrypted portable computing device, the breach affecting 638 individuals and again in 2012 theft of unencrypted desk top computer, the breach affecting 615 individuals.
Most health care establishments spent large amounts in creating firewalls and encrypting their data. In spite of these digital encryptions, the new trend in unusual circumstances could involve forceful extraction of access credentials!
Today’s environment is one wherein PHI’s are becoming more valuable that credit cards. Further, with the Department of Health and Human Services confirming the major data breach incidents during 2013 involved thefts of unencrypted computers, enterprises have taken proactive steps to protect themselves from data breaches, given that non-compliance to HIPAA Omnibus rule could cost the healthcare providers and their business associates as much as $1.5 million in penalties per violation.
A proactive measure is to effectively assess all security vulnerabilities and the risks involved using solutions such as Aegify Security Posture Management and Aegify SecureGRC that has proven to be extremely useful in preventing data breaches.