Local Encryption ... Why Not?
-
@Dashrender said:
This is the problem I was talking about before.
Let's say your a nurse in Chicago, the same hospital that Michael Jordon goes to. other than the hospital putting special locks in place for celebrities, all medical staff in that hospital have access to his records. This is the common approach, and I have yet to see a single place do it differently.
It's a training/HR issue.
There would still be a reportable breach, but it might not incur a HIPAA fine.
Actually, if it is just him, it's not a reportable breach.
-
@BRRABill said:
@scottalanmiller said:
Well.... it makes you feel like you are reasonably secure to a minimum level, right? That is the illusion.
I feel much more than minimally secure.
Are you that certain someone can hack my SED?
Well yes, I'm decently confident. But more importantly, why are you so certain that they cannot?
-
@scottalanmiller said:
Well yes, I'm decently confident. But more importantly, why are you so certain that they cannot?
Because my password is DA BOMB.
-
^^ kind of joking
-
@BRRABill said:
@scottalanmiller said:
Employers are NOT required to protect the data. They are only required to provide reasonable protection attempts. An authorized user with appropriate use deciding to misuse or steal data by putting it on their desktop would be no different than any theft. Are you saying that if any employee at your customers now just grabbed data that they were using and ran out the door with it that you would be fined for having been compromised even though no security of yours was compromised?
Employee "steals" data from their local hospital they are not allowed to have access to and puts it on a USB drive.
USB drive get stolen.
Local newspaper finds out about the PHI on the USB drive, does story.
OCR goes after ... the thief, you say? The hospital is in the clear?That's what I am saying, yes. If the hospital secured the data and the end user stole it while having legitimate access that could not be prevented then the OCR could do nothing.
-
@scottalanmiller said:
That's what I am saying, yes. If the hospital secured the data and the end user stole it while having legitimate access that could not be prevented then the OCR could do nothing.
They still need to report the breach and get all sorts of legal, IT, and compliance teams involved though.
And the OCR would still investigate.
And like I said, they better hope they really did indeed secure it.
-
@BRRABill said:
@scottalanmiller said:
Wouldn't it be a breach the moment that someone took data and removed it from the allowed security system and exposed it? It may not have been used maliciously yet. But it has been taken already. It sounds like you only consider it a breach once it has been misused, not just when it has been removed.
Similar to saying a bank isn't robbed when the money is stolen, only when the stolen money is used to buy things.
Legal words:
A breach of protected health information (“PHI”) is defined as the acquisition, access, use, or disclosure of unsecured PHI, in a manner not permitted by HIPAA, which poses a significant risk of financial, reputational, or other harm to the affected individual.7 Parsing this definition into its components, there must be: (1) an access to, or use or disclosure of unsecured PHI; (2) a use, access or disclosure that violates the “Privacy Rule” ( i.e., Subpart E of 45 C.F.R. 164); (3) a significant risk that such access, use or disclosure will cause financial, reputational, or other harm to the patient; and (4) no exceptions that apply.If the data doesn't leave the building, no harm done.
If someone's ex looks up information on whether someone has an STD, and tells people about it. Harm has been done. (True story.)
In your bank robbing example, it would be like if they rob the bank, but leave the money there. Or like someone just put the money in the wrong place, but it never actually got stolen.
No, it's stolen. In ANY non HIPAA sense, once a thief has taken the data, it's stolen and is a breach. Maybe HIPAA does a cover up to protect facilities until a breach has become a detriment to an end user. This is just how corrupt the government is that they stop the use of terms like breach to hide that data has been stolen and exposure has happened but "nothing bad" with it has happened, that's just lying. And fine, maybe no HIPAA suit can happen. The facility would still be open to a civil suit, which should be far worse.
-
@scottalanmiller said:
No, it's stolen. In ANY non HIPAA sense, once a thief has taken the data, it's stolen and is a breach. Maybe HIPAA does a cover up to protect facilities until a breach has become a detriment to an end user. This is just how corrupt the government is that they stop the use of terms like breach to hide that data has been stolen and exposure has happened but "nothing bad" with it has happened, that's just lying. And fine, maybe no HIPAA suit can happen. The facility would still be open to a civil suit, which should be far worse.
I think this was in response to if an employees just stumbles across something they weren't supposed to.
Technically a breach, but not reportable.
Not a full on theft or malicious intent.
-
@Dashrender said:
@BRRABill said:
If the data doesn't leave the building, no harm done.
I don't agree with this. Once the employee has the data, the breach has happened. Because the employee has broken the rules and copied the data someplace it's not suppose to be. The employee is the breach.
Exactly. Harm is done once data is exposed. Breach means... breach. The data is no longer controlled by the parties allowed to have access to it.
-
@scottalanmiller said:
Exactly. Harm is done once data is exposed. Breach means... breach. The data is no longer controlled by the parties allowed to have access to it.
Technically if anyone sees data they aren't supposed to, it is a breach.
Nurse forgets to lock her workstation, and the food delivery person sees it. Breach.
-
@BRRABill said:
Legal words:
A breach of protected health information (“PHI”) is defined as the acquisition, access, use, or disclosure of unsecured PHI, in a manner not permitted by HIPAA, which poses a significant risk of financial, reputational, or other harm to the affected individual.7 Parsing this definition into its components, there must be: (1) an access to, or use or disclosure of unsecured PHI; (2) a use, access or disclosure that violates the “Privacy Rule” ( i.e., Subpart E of 45 C.F.R. 164); (3) a significant risk that such access, use or disclosure will cause financial, reputational, or other harm to the patient; and (4) no exceptions that apply.1: Access. The moment the data is moved, there is access.
2: Once it is moved, again, it has been accessed
3: Any access poses such a risk
4: No Exception to the above.To me, the example I have, is unquestionably a breach. If your user puts data on a laptop without permission, it's a breach by HIPAA regulations.
-
@BRRABill said:
@scottalanmiller said:
No, it's stolen. In ANY non HIPAA sense, once a thief has taken the data, it's stolen and is a breach. Maybe HIPAA does a cover up to protect facilities until a breach has become a detriment to an end user. This is just how corrupt the government is that they stop the use of terms like breach to hide that data has been stolen and exposure has happened but "nothing bad" with it has happened, that's just lying. And fine, maybe no HIPAA suit can happen. The facility would still be open to a civil suit, which should be far worse.
I think this was in response to if an employees just stumbles across something they weren't supposed to.
Technically a breach, but not reportable.
Not a full on theft or malicious intent.
I'm not really sure how that happens? The user just happened to have a USB drive plugged in? they just happened to accidentally choose a large number of patient files, and accidentally copied them to the USB stick?
That's to many accidents for me.
-
@BRRABill said:
@Dashrender said:
I don't agree with this. Once the employee has the data, the breach has happened. Because the employee has broken the rules and copied the data someplace it's not suppose to be. The employee is the breach.
There is a breach in the simplest definition of the word. But it might not be a HIPAA violation.
But it meets all qualifications. All medical data poses significant risk. Any access meets the 1/2 requirements. 4 says no exceptions. So it's a HIPAA violation by the legal wording every time.
-
@Dashrender said:
@BRRABill said:
@Dashrender said:
The hospital should be in the clear. Assuming a few things of course. The employee had reasons to have access to the data in the first place, and the hospital has policies that state that users can't copy data on to memory sticks.
They would still have to report the breach, including to the media.
And be investigated by the OCR.
And hope, as you said, they had covered all these things in the documentation and training. And REALLY hope they hadn't already been warned about it.
In this situation if the hospital knew that this employee did in fact download this against company policy.. i think they'd have no choice but to report it, legally. Assuming they discovered is as soon as it happened, they could also report that the data was never at large risk, but the report I would think legally would still need to be made.
Exactly. Any non-immediate reporting would be "covering up" a known breach.
-
@BRRABill said:
@Dashrender said:
In this situation if the hospital knew that this employee did in fact download this against company policy.. i think they'd have no choice but to report it, legally. Assuming they discovered is as soon as it happened, they could also report that the data was never at large risk, but the report I would think legally would still need to be made.
It has been my understanding that this is up to the compliance team.
For example, if the drive was lost, but was lost while swimming, it could be assumed the data was lost. Or the laptop is gone, but was destroyed in a fire or something.
I don't see any allowance for that. The breach happened. I think that you are not considering the breach to have happened. By the time that the laptop was lost, we are past the point of the breach and the need to report it. Sure, they might get away with it given the situation, but they are skirting the law and getting away with a breach, not avoiding a breach.
-
@scottalanmiller said:
4: No Exception to the above.
It said no exceptions apply, not that there were no exceptions to #1-3
-
@BRRABill said:
@scottalanmiller said:
4: No Exception to the above.
It said no exceptions apply, not that there were no exceptions to #1-3
meaning, assuming not exceptions apply
-
@Dashrender said:
@BRRABill said:
@Dashrender said:
I don't agree with this. Once the employee has the data, the breach has happened. Because the employee has broken the rules and copied the data someplace it's not suppose to be. The employee is the breach.
I don't agree with your disagreement.
The employee should NEVER been given access to the data. That would definitely be considered a breach.
This is the problem I was talking about before.
Let's say your a nurse in Chicago, the same hospital that Michael Jordon goes to. other than the hospital putting special locks in place for celebrities, all medical staff in that hospital have access to his records. This is the common approach, and I have yet to see a single place do it differently.
Although any hospital can lock that down. That they choose to expose data in a way that IT would never do is their choice. It's just that medical professionals don't hold themselves to the same standards at their "best" than IT does at "entry point."
The common approach for hospitals is to be insecure, unprofessional and sloppy. Doesn't make it right.
-
@BRRABill said:
@scottalanmiller said:
That's what I am saying, yes. If the hospital secured the data and the end user stole it while having legitimate access that could not be prevented then the OCR could do nothing.
They still need to report the breach and get all sorts of legal, IT, and compliance teams involved though.
And the OCR would still investigate.
And like I said, they better hope they really did indeed secure it.
Why? The issue is the theft, not the security.
-
@scottalanmiller said:
Although any hospital can lock that down. That they choose to expose data in a way that IT would never do is their choice. It's just that medical professionals don't hold themselves to the same standards at their "best" than IT does at "entry point."
The common approach for hospitals is to be insecure, unprofessional and sloppy. Doesn't make it right.
I'd love to hear an idea of a way to lock this down.
