Hospitals: Pretty please, with sugar on it, encrypt the data

If you didn’t see it already, check out what happened to NY-based Lincoln Medical and Mental Health Center.  If you don’t feel like reading the whole backstory, the deal is that they had to notify their patients – and the world at large – about the fact that they “lost” 130,000 records.

It sort of a worst-case scenario for everyone involved:  Not only did they disclose PII like SSN, DoB, etc (useful for identity theft purposes), but they also disclosed diagnostic information as well (like who has what mental illness.)   From an impact perspective, this is probably in the top tier of stuff you don’t to have happen – it’s the kind of thing that makes patients go somewhere else, makes physicians not want to be affiliated with your organization, and generates unwanted expenses (you ever calculate postage on 130,000 pieces of correspondence?)

But what’s interesting to me is the root cause: FedEx lost a package.  It had nothing to do with any kind of attack and the medical center – just someone lost a package.  And having interned doing shipping/receiving and sending quite a bit of stuff via FedEx, I can tell you – FedEx loses stuff all the time.  I mean, not every day or anything, but frequently enough.  Rough guess: maybe 1 in 10,000 packages?  Anyway, it happens.

It’s interesting to me – most hospitals don’t encrypt data of this nature (like on backup tapes, CD exports, and so forth).  Now, folks outside of healthcare tend to think that hospitals (as covered entities under HIPAA) are required to encrypt this kind of thing.  But looking at the actual requirements, we realize that’s not exactly the case.

45 CFR § 164.312(e)(2)(ii) ["Encryption"] :

Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

45 CFR § 164.312(a)(2)(iv) ["Encryption and decryption"] :

Implement a mechanism to encrypt and decrypt electronic protected health information.

Taken out of context, it seems like they would need to encrypt.  But practically nobody does.  Why not?  Because #1) both clauses are addressable, #2) 312(e) says “whenever deemed appropriate – and most everybody doesn’t deem it appropriate, and #3) because 312(a) doesn’t specifically mandate where the mechanism needs to be used which gives organizations latitude to implement a mechanism like encrypted email and encrypt nothing else.

What’s my point?  This could happen to any hospital – and the cost of encrypting CD’s and backup tapes is minimal compared to the kind of fallout that something like this engenders.  Much like Diana called out the lessons BP learned about DR, an ounce of prevention in this case could be worth the pound of cure.