The recent theft of four unencrypted desktop computers from a Chicago area physician group practice may result in the second biggest healthcare breach ever reported to federal regulators. But the bigger issue is: Why do breaches involving unencrypted computer devices still occur?
According to the Department of Health and Human Services' "wall of shame" website listing 646 breaches impacting 500 or more individuals since September 2009, more than half of the incidents involved lost or stolen unencrypted devices. Incidents involving data secured by encryption do not have to be reported to HHS.
On Sept. 23, HHS will begin enforcement actions for breaches under the HIPAA Omnibus final rule, which formally ups penalties to $1.5 million per HIPAA violation. So, the stakes are getting higher for breach prevention by covered entities - as well as their business associates, who are also now directly liable for HIPAA compliance under HIPAA Omnibus.
Still, there are several reasons why organizations aren't encrypting their computing devices, security experts say. They include a lack of understanding about what should be encrypted and how it encryption should be implemented, not enough support and governance from senior leaders and insufficient resources.
Advocate Medical Breach
The four unencrypted but password-protected computers stolen during a burglary in July from an office of Advocate Medical Group in Illinois may have exposed information of about 4 million patients, according to an Advocate spokesman.
The largest breach on the HHS website is a 2011 incident involving TRICARE, the military health program, and its business associate SAIC. The loss of unencrypted storage devices in that incident affected 4.9 million individuals.
Information on the Advocate computers may have included names, addresses, dates of birth, Social Security numbers and certain clinical information, such as diagnoses, medical records numbers, medical service codes and health insurance information, according to a statement posted on Advocate's website. Complete medical records were not on the computers, the statement says.
Advocate "is reinforcing [its] security protocols and encryption program with associates," the website statement says. In a statement to Information Security Media Group, an Advocate spokesman also says the organization "is taking aggressive steps to reduce the possibility of this happening again, including the addition of 24/7 security personnel at this facility as well as accelerated deployment of enhanced technical safeguards."
Why Not Encrypt?
While many of those other "wall of shame" incidents involved mobile computing gear, some security experts say it's not surprising that the stolen Advocate desktops also were unencrypted.
For one, many organizations that have finally gotten the message to encrypt mobile computing devices still leave out encrypting desktop computers, with the reasoning that desktop computers are usually located in locked offices, says security specialist Rebecca Herold, partner at the Compliance Helper and CEO of The Privacy Professor, a consulting firm.
"A lot of covered entities don't encrypt computers in facilities because there is physical security to keep people out," she says. On top of that, many desktops might be older models, and so organizations are not sure what encryption to implement. Often the encryption used for mobile devices doesn't work with desktops, she says. "There's a lack of understanding of info security risk mitigation."
At many smaller organizations, encryption is neglected because of the lack of skills to implement the technology. But at larger entities, the oversight is often a result of the challenge of locating all their computing equipment, says Bill Miaoulis, founder of consulting firm HIPAA Security and Privacy Advisors in Birmingham, Ala. For many organizations of any size, it boils down to the willingness to gamble, he says. "There's still a lot of ignorance about the risks, the implications and the consequences."
Another related problem is that when encryption is implemented, it's not always done properly. "A lot of covered entities and business associates don't have anyone with true info security knowledge," Herold says. "IT people don't necessarily know how to implement encryption properly, and sometimes a little knowledge is dangerous."
Also, when resources are stretched, "companies don't want to do more than they think is necessary," she says.
In addition, the language of the HIPAA Security Rule says the use of encryption is an "addressable" implementation specification, which means that if other reasonable and appropriate measures are taken and are well-documented, encryption is not explicitly required. "Because it's not mandatory, many covered entities, as well as business associates, think encryption is optional," especially if they implement other very basic security measures, such as password protection, which can prove to be insufficient, Herold says.
'Defies Common Sense'
Besides the issue of the stolen Advocate computers being unencrypted, there are other problems potentially at hand in this incident, says security expert Mac McMillan, CEO of the consulting firm CynergisTek.
"I have to shake my head when I see 4 million patient records on desktops. It defies common sense and logic," he says. Besides the security and privacy risks of having that much unencrypted data possibly on desktops versus servers in a locked data center, there are other business and operational risks, including the possibility of that information not being properly backed up, he says.
Cost is another excuse for many organizations not implementing encryption. Still, the expenses related to encryption pale by comparison to breach mitigation costs and HHS' Office for Civil Rights enforcement penalties, McMillan says.
"Frankly, I don't think [the practice of encryption] will happen at many organizations till OCR starts cracking down, and it starts costing them," McMillan says.
Often a lack of understanding and support from senior leadership is a big reason for proper security, including encryption, not being implemented, security experts say.
Herold suggests that if state attorneys general offices take a stricter stance on HIPAA compliance, including doing their own security and privacy audits in addition to HHS' random HIPAA security audits, more organizations would likely pay attention. "The odds of being audited go up if the state AGs start doing those," Herold says.
Finally, a more dramatic way to get covered entities and business associates to pay more attention to good security practices, such as encryption, is to have their senior executives liable. "Holding executives accountable, like they are under SOX [Sarbanes Oxley], is one option," she says.