QOTD on Patient Data

Patient information is like radioactive material [...] It must be protected. It must be contained. It cannot be taken out of the building, sent out of the building, or looked at inappropriately if the employee is not permitted to access it.

The problem is students and employees and younger folks coming into work think of Facebook and Twitter as something you do. Just as you shouldn't be saying anything about patients on the telephone, you shouldn't be Twittering or Facebooking about work.

-- Arthur R. Derse, MD, director of the Center for Bioethics and Medical Humanities at the Medical College of Wisconsin in Milwaukee

Src: Containing the Patient Privacy Breach | HealthLeadersMedia.com

QOTD - Liston on HHS Harm Threshold Loophole

Tom Liston, senior security consultant & malware analyst for Inguardians, comments on a recently announced loophole that allows HIPAA-covered entities to dispense with breach notification if the harm threshold is not met. The harm threshold is met if the breach poses "significant risk of financial, reputational or other harm to [an] individual."

Ok... let me get this straight: I screw up and let someone steal your data. Then *I* (an acknowledged screw-up) get to decide if my screw-up poses any harm to you!?!? What could possibly go wrong with that? Next up: rapists, murderers, and felons get to decide if they're ready to be released from prison...

Src: SANS NewsBites Vol 11 Num 74

QOTD on Data Handling

Commenting on a story in which Aberdeen Royal Infirmary lost a laptop containing almost 1,400 PII records, David Hoelzer, Director of Research & Principal Examiner for Enclave Forensics, wrote:

Somewhere in our information security program there needs to be an analysis of what data really needs to be where. The best way I've seen to do this is to develop matrix based policy that shows how each type of data may be handled. Something as simple as that should tell us very clearly that it's just never OK to have sensitive data of this level on a portable device. Organizations may consider selecting controls out of ISO-27000 that deal with management approval for movement of sensitive data.

Src: SANS NewsBites Vol 11 Num 33

HHS issues guidance on protecting PHI

The HITECH Act requires the US Department of Health and Human Services to provide guidance on the technologies and methodologies to protect "unsecured protected health information" (UPHI) by making it unusable, unreadable, or indecipherable to unauthorized individuals. By protecting UPHI, covered entities and their business associates can avoid the breach notification requirements of the Act.

The guidance document released on April 17, 2009, covers all data states, with all but the first requiring proper handling by encryption or destruction:

• data in use: data in the process of being created, retrieved, updated, or deleted
• data in motion: data that is moving through a network, including wireless transmission
• data at rest: data that resides in databases, file systems, and other structured storage methods
• disposed data: discarded paper records or recycled electronic media

For encryption, the document warns of the need to properly select the encryption algorithm and to properly secure the decryption key(s). For data at rest, the guidance refers to NIST 800-111; for data in motion, the guidance refers to FIPS 140-2 (including NIST 800-52, 800-77, or 800-113).

For destruction, the document states that electronic media must have been "cleared, purged, or destroyed" according to NIST 800-88 to prevent retrieval. For paper media, it should be shredded or destroyed such that it cannot be reconstructed.

Src: HHS Releases Guidance for Securing Health Information and Preventing Harm from Breaches