Local Encryption ... Why Not?
-
@BRRABill said:
Look at his. Puch.
Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives.Yup, medical centers are sloppy, no doubt there.
-
@scottalanmiller said:
I don't agree. If someone has downloaded without permission to the laptop, encryption or not, the data is stolen and out of the hospital's control. You are talking about cases where the data was allowed to be there, we are talking about where "there" is the transfer point of an ongoing theft.
HIPAA might protect you in the case of this and help with a cover up - but your facility is still going to get destroyed by the media if that data gets released and no one will care that the laptop was "encrypted", only that you allowed data to leave the facility.
I'm just saying that the cases are looked at, and in certain times (encrypted data, less than 500 records) it does not need to be reported.
-
@scottalanmiller said:
That's possibly true. Although I know from this past week of nurses violating HIPAA left and right telling patients in facilities about other patients in the same facility.
In 2015 that is just ridiculous.
-
-
@scottalanmiller said:
We are talking about an employee who has legitimate access to data to do their job and decides to take that data out of your systems and steal it. There is no technical means of preventing this, this is data that the end user was allowed to have and decided to steal. There is nothing to investigate except for the end user.
It is YOUR data that was used improperly. It is a breach and has to be reported.
If YOU did everything you were supposed to, you will be fine.
But it is still a loss of your data.
-
@BRRABill said:
@scottalanmiller said:
That's possibly true. Although I know from this past week of nurses violating HIPAA left and right telling patients in facilities about other patients in the same facility.
In 2015 that is just ridiculous.
I've seen just about zero change of behaviour in medical professionals after HIPAA. Data is just disclosed left and right.
I wonder if you have to disclose breaches when you have nurses who just openly talk about patients. Do they classify that as just one breach at a time so tons and tons of one record breaches? Or is that one nurse (and it was many) accountable for the cumulative exposure of more than 500 over time? How close in chronological time do exposures have to be to be constituted a breach?
-
@BRRABill said:
@scottalanmiller said:
We are talking about an employee who has legitimate access to data to do their job and decides to take that data out of your systems and steal it. There is no technical means of preventing this, this is data that the end user was allowed to have and decided to steal. There is nothing to investigate except for the end user.
It is YOUR data that was used improperly. It is a breach and has to be reported.
If YOU did everything you were supposed to, you will be fine.
But it is still a loss of your data.
Sure, has to be reported. Has to be investigated. No question there. Just saying, if the breach happened outside of the IT systems IT doesn't even need to be investigated as the data was outside of controls when it happened.
-
I know that just last year Baylor hospital system was using HIPAA violations to pull medical records to use in attempts to extort money from family members of patients in Texas.
-
@scottalanmiller said:
I know that just last year Baylor hospital system was using HIPAA violations to pull medical records to use in attempts to extort money from family members of patients in Texas.
I mean, that is the reasoning behind it.
Or to prevent a corporation from mining the patient data for profit.
The joke it has evolved into is ridiculous.
-
@BRRABill said:
@scottalanmiller said:
I know that just last year Baylor hospital system was using HIPAA violations to pull medical records to use in attempts to extort money from family members of patients in Texas.
I mean, that is the reasoning behind it.
Or to prevent a corporation from mining the patient data for profit.
The joke it has evolved into is ridiculous.
Yup, and mining for profit is what they were doing there. And because there isn't public, mass breach but just individuals being extorted there is no way to get HIPAA involved by the public who are being extorted.
-
This thread shot to the top of the most popular charts pretty quickly!
-
@scottalanmiller said:
This thread shot to the top of the most popular charts pretty quickly!
And it's not even really done yet.
Though to be fair, it kind of delved out into the HIPAA landscape, which was inevitable but not necessarily desirable.
-
Yes, the original question was more generic. HIPAA has much better reasons to look at general encryption.
-
Most topics here tend to branch out... sometimes not too far out (like this one)... and other times, they branch out into left field in somebody else's baseball park, lol.
-
@dafyre said:
Most topics tend to branch out...
FTFY. It is the nature of conversations. Go to the diner with friends, sit around having coffee for a few hours and a topic that starts things, like the weather or the nature of freedom or do we really exists at all will lead from one topic into another and take tangents and sometimes return and sometimes not. Conversations naturally go in all different directions.
That it happens here too is both just organic and it is an intrinsic nature of a community and discussion forum rather than being a Q&A forum a la StackOverflow.
-
@scottalanmiller said:
FTFY. It is the nature of conversations. Go to the diner with friends, sit around having coffee for a few hours and a topic that starts things, like the weather or the nature of freedom or do we really exists at all will lead from one topic into another and take tangents and sometimes return and sometimes not. Conversations naturally go in all different directions.
That it happens here too is both just organic and it is an intrinsic nature of a community and discussion forum rather than being a Q&A forum a la StackOverflow.
Are you purposely trying to branch this out into a THIRD discussion?
-
It just happens organically.
-
So bringing this offshoot back here.
I think I now understand you are talking about, if it makes sense, to store all the data in the cloud, and work on none of it locally.
However, is there is a need to produce something locally, it might be needed to bring it down, and hence you would need to secure it in whatever way deemed necessary.
For example, doing a postal mailing from a list of PHI from a medical client.
-
@BRRABill said:
So bringing this offshoot back here.
I think I now understand you are talking about, if it makes sense, to store all the data in the cloud, and work on none of it locally.
However, is there is a need to produce something locally, it might be needed to bring it down, and hence you would need to secure it in whatever way deemed necessary.
Right. And then upload it back to your non-local storage after you have finished working with it.
-
@BRRABill said:
So bringing this offshoot back here.
I think I now understand you are talking about, if it makes sense, to store all the data in the cloud, and work on none of it locally.
However, is there is a need to produce something locally, it might be needed to bring it down, and hence you would need to secure it in whatever way deemed necessary.
For example, doing a postal mailing from a list of PHI from a medical client.
Any reason that you would want to do the printing with data locally on the end client rather than directly from the SaaS application?
