Though HIPAA and HITECH Act have been in effect for years now, there is still a lot of confusion around it, especially when it comes to data protection. One of the key areas of discussion has been – “Data at Rest”. For example, let us consider a situation at your hospital, where your doctor loses his thumb drive. What happens to the information stored in it? The HITECH Act states that all data at rest must be encrypted, which ensures that one cannot steal patient information from any data at rest.
Unauthorized Thumb Drive Violations at APDerm and DHHS
Recently at Adult & Pediatric Dermatology, P.C., of Concord, Massachusets (APDerm), an unencrypted thumb drive that had the electronic protected health information (ePHI) of approximately 2,200 patients was stolen resulting in huge data loss. As part of the forensic analysis, it was found that APDerm had not conducted thorough analysis of the potential risks and vulnerabilities to the confidentiality of the ePHI that had to be ideally done as part of effective security management. Secondly, they also weren’t fully comply with HIPAA’s requirements of the Breach Notification Rule, which meant they had to have written policies and procedures and trained workforce on the policies. This resulted in paying a settlement amount of $150,000 and also assuring corrective measures.
A similar incident happened sometime last year as well, where the Alaska Department of Health and Human Services (DHHS) had to pay the U.S. Department of Health and Human Services’ (HHS) $1.7 million to settle potential violations of the HIPAA Security Rule.
Proactive Risk Assessment
Let us explore the APDerm case a little further - In addition to a $150,000 resolution amount, the settlement included a corrective action plan that required APDerm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities and provide an implementation report to OCR.
Let us take another dimension to this story. Leave alone the need for encryption of data, why even allow unauthorized access of USB’s? If there was a USB Defender mechanism, the whole situation would have never happened. Isn’t it important to set-up USB access restrictions? It becomes more critical especially when the devices used are mass storage devices.
Tips to stay Secure
One need to remember that the loss of sensitive information is not only limited to emails and patient information, but also to the loss of:
Intellectual property data and Copy-Rights
Customer trust and Reputation
Deviation from compliance policies, and many more
There are few things that can be done to secure your data:
Take care in handling sensitive documents and make sure you destroy them when they are no longer needed.
Monitor connections of USB devices include mass storage devices, phones, and cameras on your workstation ports.
Monitor the log activity of all your enterprise workstations and USB endpoints. You can create a group of authorized users who can access the USB devices, and then set up rules in your SIEM in way that detaches unauthorized USB devices, the moment they are plugged in.
A typical USB defender mechanism checks the following:
Whether the device belongs to the defined group of authorized users
Execute the automated response by detaching it, if it is an unauthorized user
Stay alert, stay secure!!