We read this morning that the New York State Attorney General's (AG) office has fined Practicefirst, a medical practice management vendor, $550,000 following a data breach that resulted in related patient information being found on the Dark Web.
We are blogging this information for one main reason. Part of the AG fine was derived from Practicefirst allegedly failing to encrypt server information. While we don't know if encryption would have 100% prevented the data breach, we do know that MANY organizations fail to encrypt their protected health information, citing the limited effectiveness (e.g. that encryption may not stop an attack if a credential with approved access is compromised), potential performance (e.g. we've seen encryption cause "time out" issues with at least one electronic health record system), and availability concerns (e.g. if the encryption keys are mismanaged). BUT, we do know that Health and Human Services (HHS) has taken a pretty hard stance against covered entities and business associates that fail to implement §164.312(a)(2)(iv), Encryption and Decryption. HHS has clearly signaled repeatedly that this Security Rule citation, while "addressable", is not "optional" (nor are any of the other addressable citations).
We do recommend that each HIPAA-compelled organization document their encryption deployment strategy, through policy and procedure that can be presented as a HHS-deliverable artifact. Click the graphic below to read more about the AG settlement and the circumstances leading to Practicefirst's breach (hint, it was more than a failure to encrypt).
Stay (HIPAA) safe, Alan -