Forgot your password?
typodupeerror
Privacy Medicine Your Rights Online

Loss of a Single Laptop Leads to $50k Fine Against Idaho Hospice 188

Posted by Unknown Lamer
from the sterm-talking-to dept.
netbuzz writes "Losing a single laptop containing sensitive personal information about 441 patients will cost a non-profit Idaho hospice center $50,000, marking the first such HIPAA-related penalty involving fewer than 500 data-breach victims. Yes, the data was not encrypted. 'This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information,' says the Department of Health and Human Services."
This discussion has been archived. No new comments can be posted.

Loss of a Single Laptop Leads to $50k Fine Against Idaho Hospice

Comments Filter:
  • by kriston (7886) on Monday January 07, 2013 @09:16PM (#42513105) Homepage Journal

    This is why God invented encryption.

    • by Cryacin (657549) on Monday January 07, 2013 @09:27PM (#42513211)
      Ummmm, at least Christians would say you're idolizing the wrong J.C.

      http://voices.yahoo.com/basic-cryptology-caesars-encryption-method-5295779.html [yahoo.com]
    • Encryption is slow. If you have ever did healthcare data, there is just so much data that encryption can add hours to your tasks.
      Combined with the fact that Health care organizations are just starting to invest into skilled workers, but still are dominated by a bunch of people who worked their way into IT, they were in accounting or in billing who got transferred to IT 20 years ago.
      These self learned and worked in the institution so long they really don't know how to think in terms of security. They bitch

      • by Lumpy (12016)

        Sounds great.

        but you forgot to send the memo to management to double IT works salaries so they can attract competent people. Around here Medical IT staff get less than $21 an hour. you need to be paying $26-$31 to start to attract the competent people.

      • Encryption is slow. If you have ever did healthcare data, there is just so much data that encryption can add hours to your tasks.

        No excuse. I deal with tons of data and by federal directive my laptop must have full disk encryption. It took 5 days to completely encrypt my laptop but now that it is encrypted, it has not added "hours" to my tasks. In fact it is barely noticeable. You do not have to have the data stored on your laptop either, you could have remote access to patient records.

        Combined with the fa

        • by pnutjam (523990)
          For every organization that hires copetent IT people at a fair wage, there are 2 that try to scrape the bottom of the barrel by paying an insulting wage and 2 that are clueless and have a nephew or the old secretary running IT.
          This applies inside healthcare and out. Hospitals usually hire good people in my experience.
      • by kriston (7886)

        This is just not true. I had a three-year-old laptop converted to full hard disk encryption and the change was not noticeable. Most CPUs now have hardware encryption acceleration, and those that don't have it already have fast enough math processors to handle the encryption.

        I should mention that in the federal space there are new "data at rest" security requirements and many of the databases in use today are already encrypted on disk.

      • Encryption is slow. If you have ever did healthcare data, there is just so much data that encryption can add hours to your tasks.

        Yeah, I work with plenty of healthcare data, and every computer in my organization uses full-disk encryption, plus all our communications channels that handle healthcare data moving to or from the outside world are also encrypted. The encryption doesn't add noticeable time to tasks.

      • by mcgrew (92797) *

        All good reasons, but they aren't excuses. If you can't follow the regulations, get out of the business.

  • by gweihir (88907) on Monday January 07, 2013 @09:21PM (#42513151)

    Yes, it is tragic, but effective encryption is free (TrueCrypt, e.g.) and a non-profit still does not have any business being incompetent.

    • While not free, a much simpler option for the end-user would be to purchase a laptop with drive encryption available out of the box. Windows 7 Ultimate/Enterprise and Mac OSX respectively. Both can provide end-user support over the phone in the event of needing to recover data (OEM and Apple support). That phone call could make this the most important decision ever made. And to go a step further, you can use an online backup solution such as Mozy and backup to the cloud (both client connection and back-end

      • by gweihir (88907)

        While not free, a much simpler option for the end-user would be to purchase a laptop with drive encryption available out of the box. Windows 7 Ultimate/Enterprise and Mac OSX respectively. Both can provide end-user support over the phone in the event of needing to recover data (OEM and Apple support). That phone call could make this the most important decision ever made. And to go a step further, you can use an online backup solution such as Mozy and backup to the cloud (both client connection and back-end storage resides in an encrypted state).

        Now, you may say this is expensive. But the cost of paying the fine is much higher. It's also more expensive to society as a whole when sensitive information gets shat all over the internet. I can't speak for everyone, but I know I don't want my stuff out there.

        This is exactly the point. Whoever you are, if you deal with medical data, it must be more expensive for you to mess up than to do things right.

    • by Kaenneth (82978) on Monday January 07, 2013 @10:02PM (#42513613) Homepage Journal

      Question; is there a differance between 'effective' encryption, and 'HIPAA Approved' encryption?

      From a legal standpoint, would cheap/free encryption like Truecrypt/PGP be acceptable, or do you need HIPAA certified encryption with enterprise key management, etc. for $1000 a seat?

      What stops your medical records being 'encrypted' with ROT13?

      • by Anonymous Coward on Monday January 07, 2013 @10:09PM (#42513691)

        Question; is there a differance between 'effective' encryption, and 'HIPAA Approved' encryption?

        Yes, HIPAA stipulates that it must be FIPS-accredited. AES-encrypted zip files are acceptable; the older standard of zip file encryption (whatever that was) isn't.

        What stops your medical records being 'encrypted' with ROT13?

        The above.

        • by Guido69 (513067) on Monday January 07, 2013 @10:18PM (#42513785) Homepage
          FIPS 140-2 to be more specific. There are plenty of free options.
          • by adolf (21054)

            FIPS 140-2 to be more specific. There are plenty of free options.

            Are there? Last time I looked into FIPS 140, it was the case that only certain software versions were validated by NIST, and none of the validated incarnations were either free-beer or free-libre.

            Even the folks behind Truecrypt "To our best knowledge, TrueCrypt complies with the following standards, specifications, and recommendations..." [truecrypt.org], before failing to mention FIPS 140 at all.

            Indeed, looking again at the list of validated FIPS 140 wares [nist.gov],

            • by tlhIngan (30335)

              Last time I looked into FIPS 140, it was the case that only certain software versions were validated by NIST

              As a standard, it must do this, because it's possible for a version of software to have fatal bugs in it. Like say a fatal OpenSSL bug in Debian used to pass through valgrind. That would mean that one cannot certify those versions, but ones that were fixed can then be submitted for certification.

              And it's possible that TrueCrypt may be certified, but someone makes an error and version +1 now doesn't m

            • by JDisk (82627)

              FIPS 140-2 to be more specific. There are plenty of free options.

              Are there? Last time I looked into FIPS 140, it was the case that only certain software versions were validated by NIST, and none of the validated incarnations were either free-beer or free-libre.

              Crypto++ is free and open Source and FIPS 140-2 validated [nist.gov]

            • by Fancia (710007)
              OpenSSL is certified (entry 1747 on that page, "OpenSSL FIPS Object Module"), and they ship a FIPS-specific tool [openssl.org].
            • FIPS 140-2 to be more specific. There are plenty of free options.

              Are there? Last time I looked into FIPS 140, it was the case that only certain software versions were validated by NIST, and none of the validated incarnations were either free-beer or free-libre.

              Well, first off, FIPS 140-2 is only specified as part of the requirement for data to be considered "secured" for data in motion under HIPAA (not data at rest, which is where FDE comes into play.) Second, where FIPS 140-2 is relevant (data in motion

          • by gweihir (88907)

            There are exactly zero FIPS 140-2 software encryption products, as this level requires hardware. Even FIPS 140-1 is problematic, as it only applies to the specific software version you certified. Need a security update? Too bad, the certification is gone.

            FIPS is basically worthless, as it ignores the real world.

            • There are exactly zero FIPS 140-2 software encryption products, as this level requires hardware.

              HIPAA doesn't require a FIPS 140-2 validated product, it requires that, for data in motion, the encryption method is consistent with FIPS 140-2, and it specifically includes anything consistent with NIST SPs 800-52, 800-77, and 800-113. For data at rest -- which what the issue is here with, e.g., Full Disk Encryption -- FIPS 140-2 isn't even discussed; the requirement is that the method be consistent with NIS

          • FIPS 140-2 to be more specific

            More specific, but not necessarily accurate. FIPS 140-2 is the requirement for data "in motion" (being transmitted via some communication channel.) The requirements for encryption to be sufficient to not leave the data covered by it "unsecured" under HIPAA are methods consistent with NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices [nist.gov].

        • by Jawnn (445279)

          Question; is there a differance between 'effective' encryption, and 'HIPAA Approved' encryption?

          Yes, HIPAA stipulates that it must be FIPS-accredited..

          [citation needed]
          HIPAA regulations do not specify what is or is not "approved". They provide guidelines, among those is an obtuse reference to NIST.

      • by gweihir (88907)

        While I do not know the legal angle, TrueCrypt is effective in so far that any reasonably competent expert will testify to it being so. ROT13 can be broken in a fully automatic way even if you do not know it is ROT13. That disqualifies it from being "effective", again to be demonstrated by expert testimony.

        I doubt HIPPA can require specific encryption. I rather think that they have to show whatever you use is ineffective when you contend the fine. Of course, with "no encryption", they do not have to show an

      • by Jawnn (445279)

        Question; is there a differance between 'effective' encryption, and 'HIPAA Approved' encryption?

        From a legal standpoint, would cheap/free encryption like Truecrypt/PGP be acceptable, or do you need HIPAA certified encryption with enterprise key management, etc. for $1000 a seat?

        What stops your medical records being 'encrypted' with ROT13?

        TrueCrypt would indeed have allowed the hospice to invoke "safe harbor" by pointing out the loss of an encrypted drive does not constitute a "release" of EPHI.

    • It's not free to implement, support, and manage. Throwing out terms like 'incompetent' doesn't address this problem.
  • by Anonymous Coward on Monday January 07, 2013 @09:25PM (#42513195)

    ...what govt penalizers do best: pick on those least capable of defending themselves... in other words go after the low hanging fruit and don't bother with the really hard stuff like rich, for-profit hospitals and clinics that routinely violate HIPAA... because those have armies of high-dollar lawyers who'll make life hard on the govt if they attempt to go after them.

    • by Cryacin (657549) on Monday January 07, 2013 @09:28PM (#42513225)
      Yeah, bunch of HIPAA-crits
    • by icebike (68054)

      Exactly.

      Any large hospital would have fought this out in court and prevailed.
      Banks, State Agencies, Military, Doctors and Clinics all over the country have data losses all the time, but
      nobody gets fined. Because they all have insurance and lawyers.
      But find one little agency, who's patients never live long enough to sue them and they therefore don't need
      to retain a huge legal staff, and BAM sue them into the ground.

      • by Lehk228 (705449)
        I fully agree that we need more funding for enforcement of HIPAA violations, however the likelihood of securing such funding now is fairly low, and even if the money could be scrounged up there are other things that need the money more.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        Banks, State Agencies, Military, Doctors and Clinics all over the country have data losses all the time, but
        nobody gets fined. Because they all have insurance and lawyers.

        Nobody gets fined? Are you kidding? Large organizations get fined all [hhs.gov] the [hhs.gov] time [hhs.gov], often for amounts of money that aren't measured in "K". It is, by the way, the reason that said organizations have insurance. And lawyers. This one is making the news precisely because it's a small organization and a small data breach.

      • Any large hospital would have fought this out in court and prevailed.

        You mean, like the $1 million settlement Massachussetts General made in 2011 for HIPAA violations?

        Banks, State Agencies, Military, Doctors and Clinics all over the country have data losses all the time, but nobody gets fined.

        Banks aren't covered by HIPAA. Most doctors and clinics are small-entities, and this case was noted as being the first significant penalty for a small entity under HIPAA. Cignet -- a big insurer -- paid a $4.3 mil

    • by wmelnick (411371)
      BS - They have already gone after Blue Cross/Blue Shield and many large practices. There have been multi-million dollar settlements. This was a warning shot to smaller providers that they have to keep their patients' data safe too because many are too lazy to do so.
      • by stormpunk (515019)

        It took years before there were any fines. The BCBS fine of $1.5m was for 1m records. The only warning that says is that it is cheaper to ignore the regulations than do anything about it.
        Also, if you're going to lose records then lose big and you get a discount. It cost the hospice over $100 per record and BCBS $1.50. There does appear to be something to the statement that larger agencies have less to worry about.

    • by c0lo (1497653)

      ...what govt penalizers do best: pick on those least capable of defending themselves...

      Why, that's a brilliant example of high moral values: why waste the citizens tax money on those that can do more than defend themselves (like: call someone to just... you know? incidentally mention... they'll deduct the fine from next electoral donation round) ?!

      (ducks)

  • by Anonymous Coward on Monday January 07, 2013 @09:44PM (#42513415)

    Require the people in charge of an organization to store THEIR personal data in any such repository. Then maybe they'd have more incentive to make sure it gets PROPERLY encrypted.

  • by Kwyj1b0 (2757125) on Monday January 07, 2013 @09:48PM (#42513473)

    At a university where I work, there is a requirement that any project involving storing personal data must go through several periodic reviews and has to meet some strict requirements - encryption is a must (without it, the project won't even get off the ground). I'd be very surprised if there are no regulations dictating how hospitals must store and protect data.

    I read TFA, but I couldn't see whether such requirements are a must for hospices. Did they just go ahead and ignore the requirements? In which case, the fine is too small. Or are there no regulations for healthcare industry (I'd find that very surprising)? Can someone more knowledgeable tell me if this was negligence or outright violation of protocol?

    • In Washington, many health providers are barely regulated (see Seattle Time's [seattletimes.com] report Seniors for Sale [nwsource.com]). The state regular, DSHS, is notoriously incompetent and hasn't been nationally accredited since at least 2001 [seattletimes.com]. I imagine most of the oversight comes from the feds, who are pretty overworked. Skylar
  • by rudy_wayne (414635) on Monday January 07, 2013 @09:58PM (#42513575)

    Every time I see one of these stories I wonder about the same thing. Why is sensitive patient information on a laptop in the first place, and why is that laptop leaving the hospital.

    If you are a business executive, I can understand that you would be carrying a laptop which contains emails and other documents. But I cannot think of a single good reason (GOOD REASON) why a hospital's patient information would ever need to be stored on a laptop. Seriously, if you have employees carrying around laptops loaded with patient information, you're doing it wrong.

  • What a Joke (Score:5, Interesting)

    by Charliemopps (1157495) on Monday January 07, 2013 @10:01PM (#42513605)

    Having worked on many projects involving various levels of government regulation and compliance, and seeing all the different facets of security and what-not, I can state for a fact that a case like this will be looked at like "It was only a $50k fine? This security hardening project is costing us well over $200k and we still might have a breach that would lead to such a fine. Why are we even bothering?"

    We had a project that was basically just a fuzzy match for numbers that looked like credit card or social security numbers and delete them if it found them, just in case they got into a part of the database they shouldn't (like a customers stuck their social security number into their address, and yes, it's happened before) That project cost us $22,000. It ended up being a single line of SQL that ran as part of a service every hour. $50k is laughable. Security breaches like this should nearly bankrupt a company, there is no other way they'll be taken seriously. I'm involved in 5 different projects right now, each of them billing out at over $100k each, 3 of them revolve around privacy issues and government compliance. The fines issued for such breaches aren't even in our paperwork as a concern. The cost of a breach in regards to public image however has a very specific, very large number near the top of the chart. But we're in a business where people are paying attention to such things. These fines should START in the millions because preventing them costs in the hundreds of thousands of dollars.

    • by Guido69 (513067) on Monday January 07, 2013 @10:24PM (#42513829) Homepage
      If you've seriously got a viable business model where encrypting a single laptop can bring in $N00k, please let me know.
      • We don't encrypt laptops. We don't allow sensitive data on laptops... or desktops for that matter. If you want access to that sort of thing, you need to VPN in and log onto a Virtual machine... that virtual machine is then wiped as soon as you log off. We don't have to worry about the user end of the session at all.

    • I'm trying to wrap my head around how you went from

      1. Recognizing the risk 2. Spending 22k 3. And ending up with 1 line of code for it.

      I mean, at what point in that expenditure was that line of code developed? That 1 line of code is obviously includes a search string for the databases, and a command to delete them. How was that not obvious to implement?

      • For what it's worth that's actually not a whole lot of money depending on the development practices of the organization.

        * Cost of resources used (PCs, software, servers, etc.)
        * Development, QA, Lifecycle
        * Project Managers, Managers, Business Analysts, Developer
      • You vastly underestimate the size and complexity of our systems. It does not start with "Recognize risk" it starts with "Risk discovery" which is a very complex process. We're talking rooms full of people with very boring flowcharts. If you just wait for risk to "pop up" before you fix it, you've already got a breach.

    • Re:What a Joke (Score:4, Interesting)

      by jklovanc (1603149) on Tuesday January 08, 2013 @12:51AM (#42514913)

      Perhaps the fine was sized to cause pain to the organization and not kill it. Everyone makes mistakes and there are consequences but those consequences should not be fatal. Now if it happened a second time the fines should be much larger. A third time should bankrupt the company.

  • by bradorsomething (527297) on Monday January 07, 2013 @10:16PM (#42513765)
    When you lose one laptop worth of patient data, don't tell anybody.
    • If the information in any laptop (or desktop) could be worth tens of thousands in fines we might just see an increase in health care thefts and blackmail. Cheaper to pay to get the laptop back than to pay the fine if the data goes public.

  • by markdavis (642305) on Monday January 07, 2013 @11:42PM (#42514421)

    I love all the immediate "encrypt it" comments. Yes, that would be helpful, but the bigger question to ask is:

    "Why would such data be copied onto a laptop in the first place?"

    We keep hearing stuff like lost laptops and flash drives over and over. The reality is that sensitive data like this shouldn't be on those devices in the first place. One would think it would be accessed only on secure servers through approved clients and methods. Most facilities' HIPAA guidelines specifically forbid copying such information off the servers in the first place (expect by I.T. for backup) regardless if it is encrypted or not. Seems like employees in the organizations just ignore that.

    Encryption can be broken.

    • How do you propose we handle this?

      If it's a web application it's reasonable to assume that browser caching would cache certain data on the hard drive. Even "clearing cache" would only delete the headers and not securely delete all of the data. With IE, you can enforce a GPO that tells the browser not to cache data retrieved over HTTPS ; but this is assuming that HTTPS is used for internally connected systems (often times they're not), and it assumes the user is using Windows in an Active Directory environme
  • This is just a case of following the good old, tried and true tax department/RIAA solution. You go after the small, weak, vulnerable targets. The big ones are likely to defend themselves with armies of lawyers and keep your sorry ass in court for the next hundred years.

    Basically, it's much easier and safer to kick a dog with no teeth.

  • If there is a definition of cloud computing, it's the abstraction of administration. Managers at a hospice in Idaho are not qualified to make IT decisions about encryption. Even Microsoft's cloud is more secure than what they can put together : ) Combine bio-authentication with a website white list and you eliminate all passive/opportunistic attacks.

    • cloud computing needs a good data plan and coverage. Based on needs and how the cloud is set up (something on live like) will need a lot more then a 5GB cap. and say $10 a gig after 5gb can add up very fast.

    • If there is a definition of cloud computing, it's the abstraction of administration. Managers at a hospice in Idaho are not qualified to make IT decisions about encryption. Even Microsoft's cloud is more secure than what they can put together : ) Combine bio-authentication with a website white list and you eliminate all passive/opportunistic attacks.

      But until Microsoft, Google, Apple, or any other cloud server encrypts all information transfer and signs HIPAA agreement forms, nobody can put their information on them. There are such services out there, but AFAIK, the easy solutions are not signing those forms which every management in a HIPAA covered enterprise should know.

  • Any HIPAA audit would have found just that deficiency.

  • Shit software (Score:5, Interesting)

    by Jarno Hams (1362467) on Tuesday January 08, 2013 @04:52AM (#42516027)
    I am going to assume the hospice is in a similar boat we are... and i will explain how its not as simple as the wand waivers above try to make it sound. I'm essentially the brat mentioned above. Small practice with about 7 providers and about 50 machines... Probably 50/50 desktops and laps. we use a shitbox EHR that was shoved down our throats because our old vendor sold the code to the highest bidder to acquire clients. Me and and 3,000 other clients are stuck with a "new" shit product, $100,000 in debt and India to call for "support". we don't have $22k for one line of SQL code. the EHR requires local users to be admins. Mind blowing. A gpo restriction against data to the local renders the box useless. No matter how many learning moments, hand slaps and write ups you have , users will never understand the difference between My Documents and the shared network drive where stuff is supposed to go. Ironically doctors are the worst. I wrote hundreds of pages of HIPAA policy and then tried to figure out how to encrypt and secure 50 xp machines running on aging dell 2350's/3000's and d510's. state hipaa auditor says we need essentially another $100,000 worth of new stuff and encryption. There is zero IT budget. I just yanked all the drives and am pxe booting thinstation to a terminal session. in the follow up, the auditor agreed it satisfies the encryption issue 100%, and she had never heard of that or seen it done but applauded me. There are thousands of office just like me who have no budget and are already drowning in debt from the non-free software rapists. The number one argument you will get from the business owners is no budget. dwindling reimbursements coupled with exponentially expensive responsibilities like this article make for a rough combo. I feel bad for the chaps in bumblefuck Idaho. They are probably barely scraping by, then this... I'd pitch the same solution i used that passed the hipaa audit to any of these other offices out there you might find who need help but can't afford anything else. Pass it on. /$.02
  • About time people faced some real consequences for these sort of actions. It's a shame (but not unexpected) that they picked on a hospice to make the example, rather than say a large corporation, but the principle stands. If you dont encrypt private, confidential data you should be held accountable. No more plain text passwords in database tables, no more unencrypted personally identifiable information on removable/portable devices (or in database files for that matter) . No excuses.

  • with nobody held accountable.

  • The health care sector looses information all the time. Over the last 15 years, two hospitials have managed to lose 5 MRI tests and 1 EEG test, digital and paper copy. I really don't trust the "security" in place with the health care sector at all.
  • Fines are issued by independent courts. When some random government department demands money from you, your response should be "make me".

"How do I love thee? My accumulator overflows."

Working...