Why Will Your Organization be on the HHS Wall of Shame?
Guest Blog Presented By:
Business Technology Officer
Alvaka Networks, Inc.
The drumbeat of HIPAA breaches in the media is incessant, and the refrain is the same: yet another PC containing ePHI is stolen, so the organization is compelled to notify patients, HHS, and the media. The OCR swoops in, levies a 7 figure fine, and posts the offender on the HHS “Wall of Shame”, resulting in a damaged reputation and loss of future earnings.
Ironically, had the PC’s hard-drive been encrypted the loss would have been a non-event, unreportable given the Safe Harbor provisions of HIPAA. And inexpensive encryption technology has been readily available for years. Yet, 538 or 46% of the 1,171 Breach Notifications posted on the Wall of Shame stem from the simple loss of a computer with an unencrypted hard-drive.
So, if it is so obvious how to correct the deficiency that single-handedly accounts for the vast majority of HIPAA Breach Notifications, why don’t more organizations properly encrypt and protect the ePHI entrusted to them? Here are the six most common reasons we discover during our risk assessments:
- Denial and Procrastination – Despite the fact that 538 Breach Notifications across the nation stem from the loss of an unencrypted computer, some organizations simply assume the risk of loss is too small to justify the cost and effort to encrypt them. They may not understand that encryption can provide Safe Harbor from Breach Notification. Or they are so overwhelmed with all of the various requirements that they don’t realize there is effective action they can take to mitigate risk of non-compliance. Other healthcare organizations have understood for years the need to encrypt ePHI, and intended to do so, but for various reasons many don’t get around to taking the first step towards encryption.
- Premature Attestation– Sometimes an organization will confidently assert, “We are encrypting ePHI”, when it really would be more accurate to say, “One of our staff is contemplating about how we might encrypt ePHI at some unspecified date in the future”. Those who accept assurances of encryption without inspecting evidence in the form of current compliance reports can be in for a rude awakening, in the form of Willful Neglect sanctions in the event of a Breach.
- Technical Complexity and Risk– The concept of hard-drive encryption is easy to understand, but challenging to implement. The devil is in the details — hard-drive encryption is more invasive to install than a typical software application, involving an irreversible rewrite of the entire drive. Production workstations are often not backed up, so an encryption failure results in unrecoverable data loss. Often, there is no accurate inventory of PCs and laptops, much less a centralized means for managing and deploying software to them. The encryption software may conflict with the operating systems and applications running on the systems. Systems are typically not standardized so a successful test on one system does not guarantee success on all the other systems. Some may be unstable, infected with malware, and so on. The initial deployment is challenging and can lead to incomplete or failed deployments.
- Incomplete and Failed Deployments— Some have attempted to implement hard-drive encryption, only to have encountered technical obstacles that stalled the deployments. Some simply don’t have an accurate inventory of assets ready for encrypted. Finally, they may have encrypted their workstation hard-drives in the past, but do not have processes to keep the encryption current, so as encryption fails and workstations are replaced, unprotected ePHI proliferates.
- Lack of On-Going Management– Unlike some software, hard-drive encryption is not a “set it and forget it” program. The encryption needs to be monitored and maintained on an on-going basis. As workstations fail and are replaced, they must be encrypted before they are placed into production. There is also an on-going compliance reporting task — in order to receive Safe Harbor protection from Breach Notification, the organization must be able to demonstrate that a missing asset was encrypted at the time of loss. Many organizations do not have the internal resources and processes in place to perform the on-going management tasks.
- IT Resistance— The running joke is that IT people fall into two camps — those who hate encryption, and those who have no encryption experience. Because hard-drive encryption adds a layer of complexity, risk, and effort to the on-going management of PC’s and laptop computers, resource-constrained IT organizations are reluctant to deploy and support hard-drive encryption. This reluctance leads to Denial, Procrastination and Premature Attestation.
Which of these 6 reasons have you heard within your own organizations or clients? Are there other reasons beyond these 6?
About Alvaka Networks
Alvaka Networks is a leading IT Service Provider and managed Services innovator based in Irvine, California. For 34 years, we have served demanding mid-market and enterprise clients in the Healthcare and Financial sectors. With our team of technical specialists and US-based Network Operations Center, staffed 24 hours around the clock, we enable our clients and their IT organizations to meet their stringent regulatory and security requirements month after month, year after year.