Townsend Security Data Privacy Blog

How Emory Healthcare Could Have Avoided A Data Breach Notification

Posted by Paul Taylor on Apr 23, 2012 10:17:00 AM

Breach Notification Safe-Harbor

PCI Compliance White Paper

Download the white paper "Achieve Safe-Harbor Status from HITECH Act Breach Notification" to learn more about encyption and key management best practices.

Click Here to Download Now

Data breaches in the medical industry are occurring at a greater rate now than ever before. Emory Healthcare recently experienced a significant PHI (Private Health Information) breach and has announced that approximately 315,000 medical records have gone missing.

Included among those records are those of the chief executive officer of the hospital, who has tried to calm public outcry by noting that, to his knowledge, none of the personal information had been used in attempts at identity theft. But the loss is significant because it violates patient privacy rights and could have been prevented if Emory Healthcare was properly encrypting the data.

In total, 10 backup discs for the hospital system have been gone from their storage facilities since mid-February. Within each record was a wealth of information, including patient names, Social Security numbers, and surgical procedures and dates.

Emory has said that it had strong policies in place to protect the personal information of patients. It also attributed the cause of the theft to an honest mistake made by an employee.  However, HIPAA states that an organization is responsible for a breach notification regardless of whether the data was “hacked” or just lost.

As part of their remediation plan, Emory is providing free resources to help patients combat and prevent identity theft. While Emory has said it is revisiting its policies and procedures to better protect patient information, it's unclear if they are making systemic changes that could protect patients even if data is stolen in the future. Regardless of what security measures they take to better protect patient information, the only way Emory -- or any other medical facility -- can guarantee patient information is safe and avoid a breach notification will be to protect it with encryption and key management.

If you are not familiar, AES encryption (the standard for Data at Rest) is a form of data protection that uses an algorithm to transform information in a way that makes it unreadable by other entities. AES encryption that is certified by the National Institute of Standards and Technology (NIST) is used to attain the highest levels of security. Encryption can't be ignored as a security measure.

The second part of the encryption process is managing the encryption key. Only by knowing the encryption key can that information be unlocked and read. When data such as patient information is encrypted with proper key management, it is safe from being compromised by hackers or other entities that steal the information. Without the encryption key, the data is worthless.

With breaches in the healthcare industry up 32% in the last year, it is more important than ever to be encrypting PHI.  Data breaches have dollars lost directly tied to each record lost.  Download our white paper “Achieve Safe-Harbor Status from HIPAA/HITECH Breach Notification” to learn more about how your organization can protect PHI with encryption and key management.

Click me

Topics: Data Privacy, HIPAA, Security News