Increasingly, data breaches are in the news. Reports of stolen desktops, lost jump drives, and misplaced laptops seem to show up constantly. If it seems that you are now hearing more about breaches than in years past, you are correct, and the HITECH Act is probably the major reason.
One component of the privacy/security provisions of HITECH is the interim final rule, Breach Notification for Unsecured Protected Health Information. A breach is defined as:
…the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information.
If a breach occurs, and it affects more than 500 individuals, the following requirements must be met.
- Each person affected must be notified in writing
- Media in areas where affected individuals reside must be notified (usually by press release)
- Within 60 days, HHS must be notified by submitting a breach report form
Breaches affecting fewer than 500 individuals require only that each person be notified and that HHS receive annual notification of such occurrences.
Dealing with breaches is a messy business. It means a place on the HHS wall of shame, and in most states, there may be additional requirements such as paying the costs for identity theft protection. Of course, there is always the possibly that those affected will hire lawyers. The unfortunate thing about most breaches is that they can be easily avoided. The key is the word unsecured. Only unsecured data are subject to these rules. HHS offers this guidance on the meaning of the term unsecured:
Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance.
Trouble from lost or stolen devices ensues when the data on them can be read by anyone. If the information on the device is unreadable or otherwise unusable, no breach has occurred. The easiest way to make data on a device unreadable/unusable is encryption.
Encryption is the process of using an algorithm to transform a file or document into an unreadable form. In order to return the file or document to a readable state, a key is required. A key is a piece of information used by the algorithm to produce the encrypted form of the file or document. Keys are usually generated by the software that performs the encryption. Once encrypted, a file cannot be returned to its original form without the key used to encrypt it. If the key is lost, the file is unrecoverable–forever.
Information may be encrypted when at rest and/or while in transit. Information on a hard drive is an example of data at rest. Information sent from a web browser to a server or from one computer to another on a network are examples of data in transit. A common example of encryption use during transit is Secure Sockets Layer (SSL). When you see the little lock symbol in the browser when entering credit card or other sensitive data, it means the information is being encrypted for transmission over the Internet.
Encryption of data at rest could have prevented many of the data breaches that have made the news in recent years. There are many commercial and open source encryption programs available. TrueCrypt is an open-source software package with a good reputation that can be used on Macintosh, Windows, and Linux systems. It provides access to a range of encryption algorithms. If you use encryption software, please keep your keys in a safe place. Remember, if the key is lost, the information is toast.
Reportable data breaches occur when unsecured PHI is accessed or otherwise compromised. Routine encryption of information on laptops, desktops, jump drives, and other devices could be the difference between a good night’s rest and an unwelcome starring role on the evening news.