The US government have been busy, busy bees this week. The US Department of Health and Human Services (HHS) has announced a settlement with the State of Alaska's Department of Health and Social Services (DHSS) for $1.7 million resulting from HIPAA violations.
The Health Insurance Portability and Accountability Act (HIPAA) is a large piece of legislation, but the part I care about the most are the requirements for training and protection of ePHI (electronic protected health information).
It all began when a USB hard disk was stolen from the car of a DHSS IT worker. Considering the device was not encrypted and the state was unsure if it contained ePHI they had to file a report with HHS to comply with the HITECH Act (Health Information Technology for Economic and Clinical Health).
That is when everything started to unravel. HHS began an investigation looking into the incident and discovered that DHSS didn't have adequate policies and procedures in place to protect ePHI.
More damning was the fact that DHSS had not completed a risk analysis, implemented risk management procedures, required security training for its employees, implemented device and media controls or encrypted all media and devices that might contain ePHI.
Unfortunately this goes to show that our governments are similarly inept at data protection as the private sector.
The good news is no fraud has been reported related to the loss of this hard drive and this was an opportunity for HHS to discover the lack of compliance before another incident occurs.
In addition to the fine, DHSS has agreed to a corrective action plan that includes training for employees, monitoring and some specific data protection procedures. The state will be required to:
- Implement procedures for tracking devices containing ePHI.
- Implement procedures for safeguarding devices containing ePHI.
- Implement procedures for encrypting devices containing ePHI.
- Implement procedures for securely disposing of or reusing devices that contain ePHI.
- Implement procedures for responding to security incidents.
- Implement procedures for applying sanctions to employees who violate any of these policies and procedures
All of this amazing technology and data storage capacity have enabled amazing improvements in efficiency for businesses and governments alike. But like all great things, it comes at a cost.
We must not just collect massive quantities of information, but protect that information while it is useful and have a plan to securely delete that information when it is no longer needed.
Whatever type of sensitive information your organization gathers, the easiest way to ensure it isn't stolen, leaked by hackers or accidentally discovered on an old USB key is to protect the information from the beginning.
Rather than worry about whether something is a mobile device or removable drive, encrypt it anyway. Base your decisions of what the information is, rather than where it is.
You never know where the data may end up in the end and the job is a lot easier if you protect it based on what, not where.Follow @chetwisniewski