Recently, a news bulletin in Health Data Management highlighted the point that many security experts are trying to make these days: Encryption is not always a "safe harbor." Ranbow Hospice and Palliative Care in Park Ridge, Illinois had an encrypted laptop stolen, but nonetheless publicly reported the breach to affected patients, local media, and the Department of Health and Human Services. Breached data that is encrypted need not be reported under the HITECH breach notification interim final rule, but a follow-up piece in Health Data Management sheds further light on why Rainbow Hospice had to issue notifications -- and why the human factor and training are important parts of any information security plan:
- According to the Health Data Management piece, the laptop's hard drive, with protected clinical and financial information on 999 patients, was encrypted and required two passwords to use the laptop, with one password decrypting data to make the database accessible. Encryption is turned off when the laptop is in use, and turns back on when the laptop is closed or powered down.
- The user was not paying close attention to the laptop, according to the article, and the laptop was turned on and open when it was stolen -- making the data accessible to the thief. User training to emphasize that a laptop should never be left unattended when on may have made notification unnecessary -- the nurse might have either powered down, or at least closed, the laptop and the data encryption behind two passwords would have been sufficient for Rainbow Hospice to avail itself of the encryption "safe harbor."
Lesson: Encryption is good. Training is better.