Encryption of patient data on hospital computers is now essential to protecting a hospital from legal and financial disaster, according to Robert Thibadeau, chief scientist for Wave Systems. A November study by non-profit organization Ponemon Institute reported that data breaches cost hospitals around $6 billion every year, and recent months have seen an onslaught of misplaced patient data across the country.
For example, a computer containing 500 surgical patients' medical records was stolen from Loma Linda (Calif.) University Medical Center in April, putting at risk information containing patient names, medical record numbers, diagnoses, surgery dates and procedure type. In July, back-up computer files containing personal, health and financial information on around 800,000 Weymouth, Mass.-based South Shore Hospital patients over the last 14 years were misplaced during a shipment to a data management company.
Here Mr. Thibadeau discusses the history of data protection regulations and several things hospitals can do to ensure safety of patient data.
History of data protection regulations
According to Mr. Thibadeau, "laptops have been disappearing [from hospitals] for many, many years, and before laptops, it was tapes falling off the back of trucks." He says because computer theft has been happening for so long, the legal profession has naturally tried to stimulate hospitals and medical providers to better protect patient information.
In 2003, California passed the country's first data breach notification law, requiring any entity that did business in the state and experienced a breach involving personal information of California residents to notify residents when their information was compromised. The idea provoked 46 other states to follow suit and pass their own laws over the next 7 years. Unfortunately for large health systems with patients and hospitals in many different states, the laws varied widely from state to state, differing in everything from "what counts as personal information, the nature of the notice you have to make and the fines that you have to pay if you don't notify anyone," Mr. Thibadeau says.
A set of national standards for the protection of certain health information followed with the Health Insurance Portability and Accountability Act of 1996. HIPAA brought Privacy Rule standards to address the use and disclosure of individuals' health information, as well as Security Rules specifying a series of administrative, physical and technical safeguards — including encryption — to assure the confidentiality, integrity and availability of electronic protected health information.
In Feb. 2010, the federal government passed a safe harbor law under HITECH that served as an extention to HIPAA and overwrote all the state laws. The law basically states that if data is encrypted when control over the patient information was lost, the hospitals are protected through a safe harbor against lawsuits. The law applied retroactively to lost data and allowed lawyers across the country to file suit against hospitals and health systems that had misplaced non-encrypted patient data.
"HIPAA required data encryption requirements, but it was HITECH that extended that to provide safe harbor for hospitals and healthcare organizations," said Mr. Thibadeau.
"HITECH specified what was meant and required for encryption, which HIPAA didn't do — and thereby caused the safe harbor idea to have more teeth."
In June 2010, according to Mr. Thibadeau, "the situation got worse for the hospitals. A second set of regulations came into play under HITECH that established hospital responsibility for patient data on a laptop belonging to a hospital contractor." So even if the hospital didn't own the laptop, the hospital was still responsible for encrypting the patient data on a contractor's laptop in case of theft.
The law separated patient data into three distinct groups: data in transit (meaning data being distributed over email), data in use (when the computer is powered on) and data at rest (when the computer is powered off). The regulations for data in transit and data in use are more ambiguous, Mr. Thibadeau says, while the language on data at rest is very clear-cut. Here he focuses on the actions hospitals can take to protect "data at rest" to prevent a lawsuit.
What hospitals can do to ensure protection of "data at rest"
According to Mr. Thibadeau, hospitals should take the following steps to ensure their patient data is secure and protect their organization from legal action:
1. IT management of data encryption. According to Mr. Thibadeau, hospitals are required to treat "data at rest" — that is, data on a computer that has been turned off — with guidance from NIST Special Publication 800-11. This guidance says hospitals must require IT staff to manage full disk encryption solutions, meaning everything on a computer's hard drive must be encrypted. The requirement for IT management means if a laptop goes missing and patient data is potentially exposed, IT management can testify that the data was encrypted at the time of loss.
IT management of encryption should also mean end users are unable to turn encryption off on their computers. "The lawyer will want to ask, 'Was the user able to turn the encryption off?', and if he wasn't, that's good," Mr. Thibadeau says. "Encryption has traditionally been a burden because it would slow down a user's machine and people would go and disable it, so central management has to put policies in place to enforce the ability to lock down encryption on a machine. It should only be modified by the IT department."
2. Purchase self-encrypting hard drives. According to Mr. Thibadeau, hospitals are now required to take responsibility for patient data on a contractor's laptop, meaning extra security precautions must be taken. "Several actions in the last few years have come in to make this simpler for hospitals that require outside contractors," Mr. Thibadeau says. "Now every manufacturer of hard drivers makes self-encrypting drives that you can buy for all your machines. You can [and should] require your contractors to use them."
Self-encrypting hard drives provide stronger protection, but it takes time to transition an entire hospital, so Mr. Thibadeau recommends a replacement strategy of simply ensuring every new computer purchased contains hardware-based encryption. In the meantime, legacy equipment can be protected by traditional software encryption or more advanced solutions — like Microsoft BitLocker, which comes standard with most enterprise versions of Windows 7 and allows encryption keys to be stored within the computer’s TPM hardware security chip. "Be sure to start by giving self-encrypting drives to any mobile workers and contractors taking patient data outside the physical walls of the hospital," adds Mr. Thibadeau. "Protect the machines most vulnerable to loss or theft first."
Read more about data breaches:
-Indiana Attorney General Files Lawsuit Against WellPoint Over Data Breach
-Thousands of New York Presbyterian Hospital's Patients Info Leaked Onto Internet
For example, a computer containing 500 surgical patients' medical records was stolen from Loma Linda (Calif.) University Medical Center in April, putting at risk information containing patient names, medical record numbers, diagnoses, surgery dates and procedure type. In July, back-up computer files containing personal, health and financial information on around 800,000 Weymouth, Mass.-based South Shore Hospital patients over the last 14 years were misplaced during a shipment to a data management company.
Here Mr. Thibadeau discusses the history of data protection regulations and several things hospitals can do to ensure safety of patient data.
History of data protection regulations
According to Mr. Thibadeau, "laptops have been disappearing [from hospitals] for many, many years, and before laptops, it was tapes falling off the back of trucks." He says because computer theft has been happening for so long, the legal profession has naturally tried to stimulate hospitals and medical providers to better protect patient information.
In 2003, California passed the country's first data breach notification law, requiring any entity that did business in the state and experienced a breach involving personal information of California residents to notify residents when their information was compromised. The idea provoked 46 other states to follow suit and pass their own laws over the next 7 years. Unfortunately for large health systems with patients and hospitals in many different states, the laws varied widely from state to state, differing in everything from "what counts as personal information, the nature of the notice you have to make and the fines that you have to pay if you don't notify anyone," Mr. Thibadeau says.
A set of national standards for the protection of certain health information followed with the Health Insurance Portability and Accountability Act of 1996. HIPAA brought Privacy Rule standards to address the use and disclosure of individuals' health information, as well as Security Rules specifying a series of administrative, physical and technical safeguards — including encryption — to assure the confidentiality, integrity and availability of electronic protected health information.
In Feb. 2010, the federal government passed a safe harbor law under HITECH that served as an extention to HIPAA and overwrote all the state laws. The law basically states that if data is encrypted when control over the patient information was lost, the hospitals are protected through a safe harbor against lawsuits. The law applied retroactively to lost data and allowed lawyers across the country to file suit against hospitals and health systems that had misplaced non-encrypted patient data.
"HIPAA required data encryption requirements, but it was HITECH that extended that to provide safe harbor for hospitals and healthcare organizations," said Mr. Thibadeau.
"HITECH specified what was meant and required for encryption, which HIPAA didn't do — and thereby caused the safe harbor idea to have more teeth."
In June 2010, according to Mr. Thibadeau, "the situation got worse for the hospitals. A second set of regulations came into play under HITECH that established hospital responsibility for patient data on a laptop belonging to a hospital contractor." So even if the hospital didn't own the laptop, the hospital was still responsible for encrypting the patient data on a contractor's laptop in case of theft.
The law separated patient data into three distinct groups: data in transit (meaning data being distributed over email), data in use (when the computer is powered on) and data at rest (when the computer is powered off). The regulations for data in transit and data in use are more ambiguous, Mr. Thibadeau says, while the language on data at rest is very clear-cut. Here he focuses on the actions hospitals can take to protect "data at rest" to prevent a lawsuit.
What hospitals can do to ensure protection of "data at rest"
According to Mr. Thibadeau, hospitals should take the following steps to ensure their patient data is secure and protect their organization from legal action:
1. IT management of data encryption. According to Mr. Thibadeau, hospitals are required to treat "data at rest" — that is, data on a computer that has been turned off — with guidance from NIST Special Publication 800-11. This guidance says hospitals must require IT staff to manage full disk encryption solutions, meaning everything on a computer's hard drive must be encrypted. The requirement for IT management means if a laptop goes missing and patient data is potentially exposed, IT management can testify that the data was encrypted at the time of loss.
IT management of encryption should also mean end users are unable to turn encryption off on their computers. "The lawyer will want to ask, 'Was the user able to turn the encryption off?', and if he wasn't, that's good," Mr. Thibadeau says. "Encryption has traditionally been a burden because it would slow down a user's machine and people would go and disable it, so central management has to put policies in place to enforce the ability to lock down encryption on a machine. It should only be modified by the IT department."
2. Purchase self-encrypting hard drives. According to Mr. Thibadeau, hospitals are now required to take responsibility for patient data on a contractor's laptop, meaning extra security precautions must be taken. "Several actions in the last few years have come in to make this simpler for hospitals that require outside contractors," Mr. Thibadeau says. "Now every manufacturer of hard drivers makes self-encrypting drives that you can buy for all your machines. You can [and should] require your contractors to use them."
Self-encrypting hard drives provide stronger protection, but it takes time to transition an entire hospital, so Mr. Thibadeau recommends a replacement strategy of simply ensuring every new computer purchased contains hardware-based encryption. In the meantime, legacy equipment can be protected by traditional software encryption or more advanced solutions — like Microsoft BitLocker, which comes standard with most enterprise versions of Windows 7 and allows encryption keys to be stored within the computer’s TPM hardware security chip. "Be sure to start by giving self-encrypting drives to any mobile workers and contractors taking patient data outside the physical walls of the hospital," adds Mr. Thibadeau. "Protect the machines most vulnerable to loss or theft first."
Read more about data breaches:
-Indiana Attorney General Files Lawsuit Against WellPoint Over Data Breach
-Thousands of New York Presbyterian Hospital's Patients Info Leaked Onto Internet