June 6, 2012

Medical Data Breaches Unnecessary

The problem of breaches involving healthcare data is getting worse, not better. As more medical information is stored electronically, the risk of unauthorized access grows. But a significant portion of the risk could be reduced to near zero if the primary users of the data - practitioners, healthcare information technology staff and contractors, administrative staff - would take one simple step. One simple and completely free step. Really; it costs nothing, and places nearly zero burden on the user.

We made this same recommendation about six years ago, when reports of stolen laptops first began coming in. But it seems as though no one in the industry has applied our simple fix. In January of 2012, a contractor copied the records of 34,000 patients of Howard University Hospital, containing SSNs, birthdates, and diagnosis-related information, onto a laptop. The data was not encrypted; the laptop, of course, was stolen from the contractor's car. This same scenario has been reported numerous times. Data, laptop, car, repeat.

Last month, federal prosecutors charged a worker at the same hospital with selling hospital data. She's set for a plea hearing on June 12. Clearly, this is a different situation, and would not have been mitigated by encrypting the data, since the worker was entrusted with full access. But you can be sure that Howard University Hospital wishes that the stolen laptop had not preceded this incident. Patients and regulators are rightly outraged.

Simply put, had the data been stored on an encrypted drive partition on those laptops, it would have been safe from prying eyes. How difficult is it to do that? If a free, open source program like TrueCrypt is installed on the computer, it's as easy as typing in a password to open the protected drive, copying the data onto it, and using the data just as though it were on any ordinary drive. After so many minutes of idleness, or when the computer sleeps, hibernates or is shut down, the program can be set to close the protected drive, rendering its contents completely unusable until the password is given again.

Along with encryption, passwords must be strong, which means hard to guess. But they don't have to be hard to remember and type. A good rule is to have 20 or more characters, but a simple phrase can be easy to remember. Stop thinking pass word, and think pass phrase instead. Here's an extremely strong password: Theylike2bheld/theseKitties ("they like to be held, these kitties"). Easy to remember and type, but it has upper and lower case letters, a numeral and a punctuation character, and totals 27 characters in all. That's one strong password. It works in TrueCrypt and virtually all other encryption programs. And it even has kittens!

Some encryption software, including TrueCrypt, offer an additional important feature.  Let's say you are carrying extremely valuable data, being mugged, and are forced to enter your password to start the computer. Let's go so far as to say that the mugger is savvy enough to search the computer for an encrypted file, and finds it. TrueCrypt actually lets you use a different password when you mount the protected drive, which opens a phony data trove on which you've stored some bogus data. Plausible deniability saves you and your data.

There is simply no reason not to require all staff members and contractors to use encryption for all medical and other personal data. Essentially zero ownership cost, and it doesn't slow anybody down. No excuses.

Encryption and strong passwords. Take these two pills and sleep better tonight.

TrueCrypt is a free open source project, available at http://www.truecrypt.org/

No comments:

Post a Comment