Advocate Medical Breach: No Encryption?

Computer Theft Raises Questions About Unencrypted Devices

By , August 27, 2013.
Advocate Medical Breach: No Encryption?

The recent theft of four unencrypted desktop computers from a Chicago area physician group practice may result in the second biggest healthcare breach ever reported to federal regulators. But the bigger issue is: Why do breaches involving unencrypted computer devices still occur?

See Also: The Enterprise at Risk: The 2015 State of Mobility Security

According to the Department of Health and Human Services' "wall of shame" website listing 646 breaches impacting 500 or more individuals since September 2009, more than half of the incidents involved lost or stolen unencrypted devices. Incidents involving data secured by encryption do not have to be reported to HHS.

On Sept. 23, HHS will begin enforcement actions for breaches under the HIPAA Omnibus final rule, which formally ups penalties to $1.5 million per HIPAA violation. So, the stakes are getting higher for breach prevention by covered entities - as well as their business associates, who are also now directly liable for HIPAA compliance under HIPAA Omnibus.

Still, there are several reasons why organizations aren't encrypting their computing devices, security experts say. They include a lack of understanding about what should be encrypted and how it encryption should be implemented, not enough support and governance from senior leaders and insufficient resources.

Advocate Medical Breach

The four unencrypted but password-protected computers stolen during a burglary in July from an office of Advocate Medical Group in Illinois may have exposed information of about 4 million patients, according to an Advocate spokesman.

The largest breach on the HHS website is a 2011 incident involving TRICARE, the military health program, and its business associate SAIC. The loss of unencrypted storage devices in that incident affected 4.9 million individuals.

Information on the Advocate computers may have included names, addresses, dates of birth, Social Security numbers and certain clinical information, such as diagnoses, medical records numbers, medical service codes and health insurance information, according to a statement posted on Advocate's website. Complete medical records were not on the computers, the statement says.

Advocate "is reinforcing [its] security protocols and encryption program with associates," the website statement says. In a statement to Information Security Media Group, an Advocate spokesman also says the organization "is taking aggressive steps to reduce the possibility of this happening again, including the addition of 24/7 security personnel at this facility as well as accelerated deployment of enhanced technical safeguards."

Why Not Encrypt?

While many of those other "wall of shame" incidents involved mobile computing gear, some security experts say it's not surprising that the stolen Advocate desktops also were unencrypted.

For one, many organizations that have finally gotten the message to encrypt mobile computing devices still leave out encrypting desktop computers, with the reasoning that desktop computers are usually located in locked offices, says security specialist Rebecca Herold, partner at the Compliance Helper and CEO of The Privacy Professor, a consulting firm.

"A lot of covered entities don't encrypt computers in facilities because there is physical security to keep people out," she says. On top of that, many desktops might be older models, and so organizations are not sure what encryption to implement. Often the encryption used for mobile devices doesn't work with desktops, she says. "There's a lack of understanding of info security risk mitigation."

At many smaller organizations, encryption is neglected because of the lack of skills to implement the technology. But at larger entities, the oversight is often a result of the challenge of locating all their computing equipment, says Bill Miaoulis, founder of consulting firm HIPAA Security and Privacy Advisors in Birmingham, Ala. For many organizations of any size, it boils down to the willingness to gamble, he says. "There's still a lot of ignorance about the risks, the implications and the consequences."

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Insurer Seeks Breach Settlement Repayment

A cyber-insurer that paid more than $4 million to settle a class action suit filed against its...

Latest Tweets and Mentions

ARTICLE Insurer Seeks Breach Settlement Repayment

A cyber-insurer that paid more than $4 million to settle a class action suit filed against its...

The ISMG Network