Posted by: AllinHIT
Data privacy and security, Encryption, HIPAA, Thumb drives, USB
This week Australia selected Accenture as a prime contractor, and selected some subcontractors, including Oracle and Orion Health, to develop Australia’s “Personally Controlled Electronic Health Record” or PCEHR. This PHR product will allow Australia’s 22 million citizens access their medical records, manual entering of PHI, and the record will contain information on access with audit trails.
After reading about this effort, I was then reminded about one of my tweets last week declaring “unencrypted thumbs are dumb”, which I tweeted after hearing about the recent notification breach at St. Francis. Just by definition of this blog’s title, “unencrypted thumbs are dumb”, most will agree with that as a statement. However, due to the recent breaches involving thumbs, I thought a recap of these incidents can serve as another warning to hospitals and physicians.
St. Francis hospital, located in Wilmington, Delaware, notified over 400 maternity patients that their PHI from a prenatal study 10 years ago was breached. A physician, who was involved with the study, discovered the breach after receiving a lost thumb drive in the mail from a stranger. This thumb drive had unencrypted PHI on it, hence, had a high probability of being compromised. Gladly, the information did not contain some personal, vital information like social security numbers, addresses, and phone numbers. However, it was a violation that is well within the “Harm Threshold” as part of HIPAA. This mishap, due to a physcian losing an unencrypted thumb drive, pales in comparison to what happened with St. Barabas hospital system in New Jersey last summer.
Over 3600 patient’s information was breached when an employee of KPMG, the large consulting firm, lost an unencrypted thumb drive belonging to St. Barabas. Besides the sheer volume of patients involved, and the fact that a vendor created the breach, what makes this more shameful, or I should say dumb, is not reporting the breach during the 60-day period as required. Additionally, and how’s this for irony, KPMG received a contract with HHS/Office of Civil Rights, to perform HIPAA privacy and security compliance audits!
From these two recent examples, the message should be clear. Encrypt your thumb drives, if you are going to us them for PHI. There is a bunch of software one can be purchased that automatically encrypts files being transferred from hospital computers to a thumb drive. The cost of purchasing this software is minimal compared to the cost of a breach. This is why I say ” unencrypted thumbs are just plain dumb”!