×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Loss of a Single Laptop Leads to $50k Fine Against Idaho Hospice

Unknown Lamer posted about 2 years ago | from the sterm-talking-to dept.

Privacy 188

netbuzz writes "Losing a single laptop containing sensitive personal information about 441 patients will cost a non-profit Idaho hospice center $50,000, marking the first such HIPAA-related penalty involving fewer than 500 data-breach victims. Yes, the data was not encrypted. 'This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information,' says the Department of Health and Human Services."

Sorry! There are no comments related to the filter you selected.

This is why God invented encryption (4, Insightful)

kriston (7886) | about 2 years ago | (#42513105)

This is why God invented encryption.

Re:This is why God invented encryption (3, Informative)

Cryacin (657549) | about 2 years ago | (#42513211)

Ummmm, at least Christians would say you're idolizing the wrong J.C.

http://voices.yahoo.com/basic-cryptology-caesars-encryption-method-5295779.html [yahoo.com]

Re:This is why God invented encryption (3, Funny)

webmistressrachel (903577) | about 2 years ago | (#42513527)

Yeah, he could at least idolize one with a three-letter UID - ~Jeremiah Cornelius [slashdot.org] . Have *some* class...

Re:This is why God invented encryption (-1)

Anonymous Coward | about 2 years ago | (#42514301)

I read Jeremiah Cornelius' post history. You're both troll assholes.

Re:This is why God invented encryption (-1)

Anonymous Coward | about 2 years ago | (#42514825)

666?

Hospice prices go up (1)

Anonymous Coward | about 2 years ago | (#42513113)

It's not like the hospice is going to be particularly harmed. The costs will be passed on to you through insurance. No person was held accountable their decision to not encrypt the laptop.

Re:Hospice prices go up (2)

Xicor (2738029) | about 2 years ago | (#42513231)

if i recall correctly from the hipaa rules, it isnt the hospice that is required to pay the fine, im pretty sure it is the employees responsible. the incorporation isnt the one being charged with the loss of the patient data.

Re:Hospice prices go up (3, Insightful)

sunking2 (521698) | about 2 years ago | (#42513457)

Hopsice prices can't just arbitrarily go up for 99.9% of people who use insurance or medicaid. They work on prenegotiated rates. They can charge all they want, insurance is only going to pay them what they agreed to.

Re:Hospice prices go up (-1, Flamebait)

Rockoon (1252108) | about 2 years ago | (#42513559)

Wow.

He is talking about the insurance the Hospice provider buys, not the insurance the patients have.

Welcome to the list of really clueless stains on slashdot that act like experts even when they know so little that they say something as ridiculous as well, what you just said.

Re:Hospice prices go up (0)

sunking2 (521698) | about 2 years ago | (#42513591)

I'm not so sure about that, and even if so, you are talking about such a piddle amount divided by so many policy holders that it rounds down to zero. A small price to pay for hopefully people being more careful.

It works! (0, Flamebait)

jameshofo (1454841) | about 2 years ago | (#42513115)

All those nay Sayers that government doesn't work, well look at this!

Re:It works! (3, Insightful)

DoofusOfDeath (636671) | about 2 years ago | (#42513185)

It's hard to tell if you're being sarcastic or not.

Re:It works! (1)

Anonymous Coward | about 2 years ago | (#42513217)

If it worked, we wouldn't be reading this article. The data was lost despite government regulation. I don't care that the government made 50k off the deal.

Re:It works! (4, Insightful)

Alwin Henseler (640539) | about 2 years ago | (#42513259)

No it doesn't. For starters: such a fine is a good thing, but it should be payable to the victims of the data breach (as in: the people whose sensitive data was dumped on the street). One way or another, they suffer damage from a data breach, they should be compensated.

Secondly, it won't prevent further breaches like they happen so often these days. Maybe if fines are stiff enough, and handed out often enough, over time it will produce an effect. I wouldn't hold my breath though. When it comes to keeping data private, a new idiot is born every day. Sometimes an idiot in charge, but that's not always necessary.

Re:It works! (3, Informative)

icebike (68054) | about 2 years ago | (#42513445)

No it doesn't. For starters: such a fine is a good thing, but it should be payable to the victims of the data breach (as in: the people whose sensitive data was dumped on the street).

You did read the article right?

Of course not.

Nobodies data was abused. They didn't suffer any damages from the data breach.
(You do know what a Hospice is, right? You understand that their clients could not possibly care less about a data breach?).

Be that as it may, fines are NEVER payable to individuals. The government simply pockets the money.
Nobody is taught any lessons, other than to raise their prices to pay for even more insurance.

Re:It works! (4, Insightful)

Enry (630) | about 2 years ago | (#42513615)

Yes, and the next time some Hospice official thinks about not encrypting their data, they're going to remember this event and think better of it.

HIPAA violations are serious. People have likely lost their jobs over this. Even though I'm not in a position to routinely work with patient data, my employer requires that my laptop is encrypted - in the case of my Linux laptop I was able to convince them that using encrypted LVM was sufficient.

Re:It works! (1)

Anonymous Coward | about 2 years ago | (#42514141)

If the fine is yearly, firing their IT guy may save them a few thousands a year!

Re:It works! (1)

Anonymous Coward | about 2 years ago | (#42514711)

Yeah let's fire the IT guy who suggested all data to be encrypted and not the managers who overruled the IT guy because encryption is annoying.

Re:It works! (3, Insightful)

mlts (1038732) | about 2 years ago | (#42514229)

I'm happy HIPAA is being enforced. We have already had way too many breaches, either tapes left in unsecured locations, or laptops "going missing".

We already have had a decade of businesses giving security the hind teat, since it is viewed as a cost center, and the belief that "calling Geek Squad" after the fact can fix things. Having it made public that if laws/regs are broken, that fines will be levied might get places to zip their flies.

Encryption of laptops is not hard, especially Windows laptops that are the mainstay in business that have TPM chips. With any Windows version newer than Vista, Bitlocker is very easy to enable on an enterprise level. For most things, just forcing BitLocker via GPO on laptops, even if the user is a full admin is more than good enough for security.

For laptops without a TPM, Windows 8 and Windows Server 2012 allow for a password to be set before boot.

Almost all new major operating systems have some form of DAR/WDE encryption ready to go. Linux has LUKS, BSD has gbde, AIX has EFS, Solaris has encrypt(1), OS X has FileVault II. Enabling this may not be trivial, but it is doable.

Of course, almost all new backup programs have encryption, usually create/import a key, set a button to encrypt, and let fly. Netbackup has the Media Server Encryption Option, but even better, if one uses LTO-4 or newer media, NBU can just use the tape drive native AES encryption directly.

There is no excuse for encrypting laptops and media these days. None.

Re:It works! (2)

NotQuiteReal (608241) | about 2 years ago | (#42514861)

Next time I am dying I will be sure to carefully review the HIPPA compliance record for the hospice of my choice.

Re:It works! (0)

Anonymous Coward | about 2 years ago | (#42514923)

IMO, should be another 50grand cause data wasn't encrypted like it should be

Re:It works! (1)

Door-opening Fascist (534466) | about 2 years ago | (#42514643)

(You do know what a Hospice is, right? You understand that their clients could not possibly care less about a data breach?).

I'm sure the thing you want to be dealing with when closing down a loved one's estate is finding out that someone's opened up a bunch of credit cards and gone to town.

Be that as it may, fines are NEVER payable to individuals.

What about the $2.4 billion that the National Fish and Wildlife Foundation received from BP as part of the Deepwater Horizon oil spill? That will have a direct, tangible benefit to the Gulf States. Skylar

Re:It works! (0)

Anonymous Coward | about 2 years ago | (#42515963)

Fines may or may not be payable to the clients, but usually a "identity protection" package is offered. And the damaged party may not be the one hurt by a data loss, the hospice client may have a family member who is the "Financially Responsible" party who's information has also been lost.

Re:It works! (0)

Anonymous Coward | about 2 years ago | (#42516187)

Nobodies data was abused.

Yet.

Re:It works! (-1)

Anonymous Coward | about 2 years ago | (#42514839)

It is just the government trying to drive even a non-profit out of "business", to broaden the governments role in even providing end of life care... how dare anyone not use the official death panel!

A 'Big' fine? (1)

ko7 (1990064) | about 2 years ago | (#42513143)

"... will cost a non-profit Idaho hospice center $50,000, ..."

I'm not so sure just how strong of a message this will send.

Encrypting patient data should be a no-brainer in this day and age.

Re:A 'Big' fine? (1)

JasoninKS (1783390) | about 2 years ago | (#42514335)

The key word there being "should". Sadly, there are many reasons this doesn't occur.

1. Overloaded tech guy who was told to crank out new laptops ASAP, damn the torpedoes.
2. Tech guy that knows better but was overruled by his boss.
3. Tech guy told them it needed done, but CEO said "screw it, it costs too much and is too complicated for us to learn".
4. Plain ol' oversight.

My money would probably be on 3. "How's 70 year old Beloved Bill, who's been with our company forever, ever suppose to remember how to do this stuff?" "I don't care that it's automatic, it's too confusing and complicated." "My teenage kid knows all about computers and he says we don't need it."

Re:A 'Big' fine? (3, Insightful)

afidel (530433) | about 2 years ago | (#42515059)

Dude, it's a small nonprofit hospice, it's doubtful they HAVE an IT guy, more likely a consultant they bring in to fix something every few years. I know because I worked consulting in a practice focused largely on smb medical and only our largest and/or most profitable customers ever engaged us for anything more than break/fix. I got out just as HIPPA enforcement was coming online and almost none of our clients was prepared despite the fact that we had sent along information for several years pointing them to organizations that could help them write their policies (we got nothing directly out of this, though given the state of many of their IT systems they would have needed services to become compliant with legal minimum practices).

Being non-proft does not justify being incompetent (4, Insightful)

gweihir (88907) | about 2 years ago | (#42513151)

Yes, it is tragic, but effective encryption is free (TrueCrypt, e.g.) and a non-profit still does not have any business being incompetent.

Re:Being non-proft does not justify being incompet (1)

DigiShaman (671371) | about 2 years ago | (#42513573)

While not free, a much simpler option for the end-user would be to purchase a laptop with drive encryption available out of the box. Windows 7 Ultimate/Enterprise and Mac OSX respectively. Both can provide end-user support over the phone in the event of needing to recover data (OEM and Apple support). That phone call could make this the most important decision ever made. And to go a step further, you can use an online backup solution such as Mozy and backup to the cloud (both client connection and back-end storage resides in an encrypted state).

Now, you may say this is expensive. But the cost of paying the fine is much higher. It's also more expensive to society as a whole when sensitive information gets shat all over the internet. I can't speak for everyone, but I know I don't want my stuff out there.

Re:Being non-proft does not justify being incompet (3, Interesting)

Kaenneth (82978) | about 2 years ago | (#42513613)

Question; is there a differance between 'effective' encryption, and 'HIPAA Approved' encryption?

From a legal standpoint, would cheap/free encryption like Truecrypt/PGP be acceptable, or do you need HIPAA certified encryption with enterprise key management, etc. for $1000 a seat?

What stops your medical records being 'encrypted' with ROT13?

Re:Being non-proft does not justify being incompet (4, Informative)

Anonymous Coward | about 2 years ago | (#42513691)

Question; is there a differance between 'effective' encryption, and 'HIPAA Approved' encryption?

Yes, HIPAA stipulates that it must be FIPS-accredited. AES-encrypted zip files are acceptable; the older standard of zip file encryption (whatever that was) isn't.

What stops your medical records being 'encrypted' with ROT13?

The above.

Re:Being non-proft does not justify being incompet (4, Informative)

Guido69 (513067) | about 2 years ago | (#42513785)

FIPS 140-2 to be more specific. There are plenty of free options.

Re:Being non-proft does not justify being incompet (2)

adolf (21054) | about 2 years ago | (#42514897)

FIPS 140-2 to be more specific. There are plenty of free options.

Are there? Last time I looked into FIPS 140, it was the case that only certain software versions were validated by NIST, and none of the validated incarnations were either free-beer or free-libre.

Even the folks behind Truecrypt "To our best knowledge, TrueCrypt complies with the following standards, specifications, and recommendations..." [truecrypt.org] , before failing to mention FIPS 140 at all.

Indeed, looking again at the list of validated FIPS 140 wares [nist.gov] , it does seem to be lengthy, but it is mighty specific and I do not see a single instance of anything free-as-in-beer, let alone "plenty of free options."

The only thing that stands out is that Red Had has had some OSS software validated as being FIPS-140, but only when installed according to their posted Security Policy, which seems to require RHEL, which is not free.

So. [citation needed], and stuff: If you've got the goods, give 'em up. (And no, "To our best knowledge" is not a defense against a HIPPA violation: It either is validated to FIPS 140(-2), or it is not.)

Re:Being non-proft does not justify being incompet (1)

tlhIngan (30335) | about 2 years ago | (#42515253)

Last time I looked into FIPS 140, it was the case that only certain software versions were validated by NIST

As a standard, it must do this, because it's possible for a version of software to have fatal bugs in it. Like say a fatal OpenSSL bug in Debian used to pass through valgrind. That would mean that one cannot certify those versions, but ones that were fixed can then be submitted for certification.

And it's possible that TrueCrypt may be certified, but someone makes an error and version +1 now doesn't meet the requirements.

And yes, commercial software can have such show stopping bugs as well due to some coding error.

Re:Being non-proft does not justify being incompet (0)

Anonymous Coward | about 2 years ago | (#42514595)

Where in HIPAA does it state FIPS complaint encryption? I'd love to see this citation. HIPAA is a guideline, it sets in place no specifications to exactly what you should do.

Re:Being non-proft does not justify being incompet (1)

sthomas (132075) | about 2 years ago | (#42515075)

HIPAA *does* set in place specific specifications to comply. The beauty of HIPAA is that the Dept H&HS releases guidance to inform people how to comply on pretty much every aspect:

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html [hhs.gov]

When it comes to technology, they always refer to NIST standards as being tested and compliant. Read NIST special publication 800-111 and its references to the FIPS 140-2 standard at http://csrc.nist.gov/ [nist.gov] (Publications / Special Publications on the top menu) and you'll see they have very thorough information on how to implement encryption correctly.

Re:Being non-proft does not justify being incompet (1)

afidel (530433) | about 2 years ago | (#42515105)

This exactly, much like SarbOx it's mostly a minimum framework for organizations to write their own policies (in fact HIPPA doesn't specify ANY technologies, only policies). Specific auditors might require specific standards in order to make their jobs easier (checkbox auditing) but the law is much more vague. In reality if you put in a goodfaith effort to protect patient information and followed your organizations published guidelines it's highly unlikely that you or your organization will be fined unless there's a finding of gross negligence (ie I wrote the encryption key on a postit attached to the outside of the tape case).

Government penalizers doing... (5, Insightful)

Anonymous Coward | about 2 years ago | (#42513195)

...what govt penalizers do best: pick on those least capable of defending themselves... in other words go after the low hanging fruit and don't bother with the really hard stuff like rich, for-profit hospitals and clinics that routinely violate HIPAA... because those have armies of high-dollar lawyers who'll make life hard on the govt if they attempt to go after them.

Re:Government penalizers doing... (4, Funny)

Cryacin (657549) | about 2 years ago | (#42513225)

Yeah, bunch of HIPAA-crits

Re:Government penalizers doing... (0)

Anonymous Coward | about 2 years ago | (#42513767)

The "crit" is silent and usually not displayed. It's really uninteresting when you think about it.

Re:Government penalizers doing... (2)

icebike (68054) | about 2 years ago | (#42513507)

Exactly.

Any large hospital would have fought this out in court and prevailed.
Banks, State Agencies, Military, Doctors and Clinics all over the country have data losses all the time, but
nobody gets fined. Because they all have insurance and lawyers.
But find one little agency, who's patients never live long enough to sue them and they therefore don't need
to retain a huge legal staff, and BAM sue them into the ground.

Re:Government penalizers doing... (1)

Lehk228 (705449) | about 2 years ago | (#42513619)

I fully agree that we need more funding for enforcement of HIPAA violations, however the likelihood of securing such funding now is fairly low, and even if the money could be scrounged up there are other things that need the money more.

Re:Government penalizers doing... (0)

aurispector (530273) | about 2 years ago | (#42513737)

HIPAA is the biggest waste of paper ever to come out of DC. It solves nonexistent problems with imaginary solutions an imposes a constant and never ending expense on providers, raising costs for everyone. It's a bureaucrat's wet dream because they get to beat someone with a stick and pretend they're helping people.

The ultimate in big government overstepping it's bounds.

Re:Government penalizers doing... (0)

Anonymous Coward | about 2 years ago | (#42513907)

Amen...

Re:Government penalizers doing... (3, Insightful)

ColdWetDog (752185) | about 2 years ago | (#42514207)

Nice rant. Too bad you're mostly wrong. HIPAA actually does manage to get data protection pushed far and wide in an industry that fights tooth and nail against any change. It's hardly perfect but it's not terribly onerous and most of the edge cases and implementation problems have been sorted out.

I'm not sure why they chose to beat up on some rural Hospice provider - they've had plenty of chances to hit some big boys and girls, but this will send out a signal that you shouldn't fuck around and avoid doing simple things. It isn't much of an expense to encrypt laptops. It's not hard to put locks on doors, HIPAA has made it easier to transfer data back and forth between providers because everyone is working off the same set of rules.

Maybe you should bash your head with your copy of Atlas Shrugged a few more times until things are clearer.

Re:Government penalizers doing... (2, Informative)

Anonymous Coward | about 2 years ago | (#42513839)

Banks, State Agencies, Military, Doctors and Clinics all over the country have data losses all the time, but
nobody gets fined. Because they all have insurance and lawyers.

Nobody gets fined? Are you kidding? Large organizations get fined all [hhs.gov] the [hhs.gov] time [hhs.gov] , often for amounts of money that aren't measured in "K". It is, by the way, the reason that said organizations have insurance. And lawyers. This one is making the news precisely because it's a small organization and a small data breach.

Re:Government penalizers doing... (2)

wmelnick (411371) | about 2 years ago | (#42513629)

BS - They have already gone after Blue Cross/Blue Shield and many large practices. There have been multi-million dollar settlements. This was a warning shot to smaller providers that they have to keep their patients' data safe too because many are too lazy to do so.

Re:Government penalizers doing... (2)

stormpunk (515019) | about 2 years ago | (#42513921)

It took years before there were any fines. The BCBS fine of $1.5m was for 1m records. The only warning that says is that it is cheaper to ignore the regulations than do anything about it.
Also, if you're going to lose records then lose big and you get a discount. It cost the hospice over $100 per record and BCBS $1.50. There does appear to be something to the statement that larger agencies have less to worry about.

Re:Government penalizers doing... (1)

c0lo (1497653) | about 2 years ago | (#42513869)

...what govt penalizers do best: pick on those least capable of defending themselves...

Why, that's a brilliant example of high moral values: why waste the citizens tax money on those that can do more than defend themselves (like: call someone to just... you know? incidentally mention... they'll deduct the fine from next electoral donation round) ?!

(ducks)

These guys are an easy takedown. (1)

rashanon (910380) | about 2 years ago | (#42513205)

They beat up on these guys because they don't have the resources to fight back. Right or wrong in this case is not the issue. A easy win was. HIPPA will not go after a big health care chain, because the chain will spend all the money needed to block these cases. These guys will not back up there words about protecting patients against a biggie. They just want to look like it.

Legal Explanationr (0)

Anonymous Coward | about 2 years ago | (#42513243)

The issue of whether the breach affects more or less than 500 patients is legally relevant. Companies that suffer a compromise of certain types of personal information (including medical records) must report it to the government. When the number of victims is more than 500, the reporting requirements are stricter--the deadline is sooner, a notification about the problem is posted on a government website, etc. So when it's 500, they are generally just not treated as seriously; the enforcement agencies tend not to invest a lot of time and money in taking action against them. There is a rule that, if the data that was stolen is properly encrypted so that the hacker or thief can't actually use it, then the company has nothing to worry about. This is a "safe harbor" provision that encourages companies that store personal information to secure it so that they don't have to worry about getting sued for data breaches.

probably idiot spoiled-rich-brat management (1)

Anonymous Coward | about 2 years ago | (#42513299)

The day I was terminated from a company with a crazy spoiled-rich drunken brat who's father gave her all the startup money and helped her get a healthcare related company going was the day I became religious about encryption and file shredding. This lady was an IDIOT. She shelled out high salaries from top people in the industry to give her good advice, and she did not listen to any of them and ended up getting ripped off of her entire business model and client base by her former VP who was tech-savvy. Security was as lax as it gets and he covered his tracks thoroughly. Then when she said she was hiring top dollar experts to come in and find traces of deleted data on the computers to show evidence of what he had done, I urged her to stop using them and told the chick "don't use those computers. anything recoverable will be overwritten". She blew me off because I wasn't a full time data recovery person. They flew in from across the country and told her the exact same thing I did. Then she got furious at me because I hadn't made it clear enough to her not to do that (which was B.S.) and eventually fired me and wanted to get her claws on my personal computer because she suspected me of being an insider helping the former VP ripping her off. So I quickly moved all my personal then non-encrypted home PC files to a TrueCrypt encrypted volume on a new drive and then shredded the old drive's contents. Then i ran magnets all over the thing and drilled a bajillion holes in it, rendering it useless.

This is the new generation of bosses and company owners in America. They're the sons and daughters of the upper crust whom are starting and running companies having no real background in the industry and making themselves look like the idiots they are in the process, while the employees are trying to beam-balance their job amidst the chaos.

Re:probably idiot spoiled-rich-brat management (0)

Anonymous Coward | about 2 years ago | (#42513387)

I bet she's from Nashville. Bitches like that are always from Nashville. Or Atlanta. And they drive SUV's and talk on the cell phone ALL THE TIME.

Re:probably idiot spoiled-rich-brat management (0)

Anonymous Coward | about 2 years ago | (#42513419)

I dunno where she was from but she was definitely glued to her cell phone. Was always blowing money on drinking parties and kept booze in the break room and encouraged everyone to drink on the job as well. I know it sounds like 4chan fiction, but I assure you that I am not making any of this up.

Re:probably idiot spoiled-rich-brat management (0)

Anonymous Coward | about 2 years ago | (#42514157)

Having been all over the world, I can safely say that there is always a snooty bitch willing to run you over in an SUV while glued to her celphone. Living in the southeast US, it does seem to be a higher concentration than most places...

Re:probably idiot spoiled-rich-brat management (0)

Anonymous Coward | about 2 years ago | (#42513403)

No, they're not sons and daughters of the "upper crust", they're sons and daughters of the stale crust which is pretty much described as "westerners".

Re:probably idiot spoiled-rich-brat management (0)

Anonymous Coward | about 2 years ago | (#42513521)

Ya, most likely if you dig deep enough they could be confirmed as the spawn-of-the-bush-era from one degree to another. God help us all.

How to ensure it gets encrypted... (3, Interesting)

Anonymous Coward | about 2 years ago | (#42513415)

Require the people in charge of an organization to store THEIR personal data in any such repository. Then maybe they'd have more incentive to make sure it gets PROPERLY encrypted.

Re:How to ensure it gets encrypted... (0)

Anonymous Coward | about 2 years ago | (#42514043)

That's perfect. Reminds me of the rule in my house. Whoever cuts the cake is the last one to pick a slice. Good way to ensure they make every slice the same.

America confuses me (1)

sidevans (66118) | about 2 years ago | (#42513463)

Facebook, Google and probably Apple make money selling customer data

but

Non-Profit organisation (organization) gets fined for losing customer data

I know its different data but cmon, what's the world coming to?

Re:America confuses me (-1)

Anonymous Coward | about 2 years ago | (#42513537)

It's not that confusing:

Facebook, Google and probably Apple make money selling customer data

voluntarily provided by stupid American customers. You cannot safeguard against stupidity (we do try)

Non-Profit organisation (organization) gets fined for losing customer data

It's not simply "different" data. It's data that they posses because customers _had_ to go to a hospice due to their medical condition. You can avoid Facebook (as hard as it is) but you cannot avoid a hospice. So safeguards must be different.

Re:America confuses me (1)

Anonymous Coward | about 2 years ago | (#42513641)

You don't know why the rules are different for medical records than personal data that is voluntarily provided? Sheesh, and they say Americans are dumb.

Did they ignore the regulations at the start? (2)

Kwyj1b0 (2757125) | about 2 years ago | (#42513473)

At a university where I work, there is a requirement that any project involving storing personal data must go through several periodic reviews and has to meet some strict requirements - encryption is a must (without it, the project won't even get off the ground). I'd be very surprised if there are no regulations dictating how hospitals must store and protect data.

I read TFA, but I couldn't see whether such requirements are a must for hospices. Did they just go ahead and ignore the requirements? In which case, the fine is too small. Or are there no regulations for healthcare industry (I'd find that very surprising)? Can someone more knowledgeable tell me if this was negligence or outright violation of protocol?

Re:Did they ignore the regulations at the start? (1)

Door-opening Fascist (534466) | about 2 years ago | (#42514681)

In Washington, many health providers are barely regulated (see Seattle Time's [seattletimes.com] report Seniors for Sale [nwsource.com] ). The state regular, DSHS, is notoriously incompetent and hasn't been nationally accredited since at least 2001 [seattletimes.com] . I imagine most of the oversight comes from the feds, who are pretty overworked. Skylar

AWESOME! (0)

Anonymous Coward | about 2 years ago | (#42513553)

Finally someone punished for their security incompetence!

The fine seems pretty low though.

Why are you doing it in the first place? (2)

rudy_wayne (414635) | about 2 years ago | (#42513575)

Every time I see one of these stories I wonder about the same thing. Why is sensitive patient information on a laptop in the first place, and why is that laptop leaving the hospital.

If you are a business executive, I can understand that you would be carrying a laptop which contains emails and other documents. But I cannot think of a single good reason (GOOD REASON) why a hospital's patient information would ever need to be stored on a laptop. Seriously, if you have employees carrying around laptops loaded with patient information, you're doing it wrong.

Re:Why are you doing it in the first place? (1)

mlw4428 (1029576) | about 2 years ago | (#42513621)

Low ranking managers, nurses/doctors/etc who only make "rounds" every other day or something to see patients, remote coders who stopped in the office for some reason, IT support persons with access to shared drives to spreadsheets/data containing patient information, etc, etc.

There are a number of reasons why laptops leave facilities. The question is why wasn't it encrypted?

Re:Why are you doing it in the first place? (1)

Osgeld (1900440) | about 2 years ago | (#42513677)

no reason that it needed to be local on the machine, let alone local, portable, and unencrypted

Re:Why are you doing it in the first place? (0)

Anonymous Coward | about 2 years ago | (#42513919)

You act like remote docs wouldn't be cached on the machine. Ms Word would open a temp file on the local machine, RAM would have the info as well as the swap file.

Re:Why are you doing it in the first place? (1)

Osgeld (1900440) | about 2 years ago | (#42514195)

but again there is no reason why it could not be cached

Ram and swap, ok, sure, theres no perfect lock, but its better than no lock and hoping for the best

Re:Why are you doing it in the first place? (1)

rudy_wayne (414635) | about 2 years ago | (#42513739)

Low ranking managers, nurses/doctors/etc who only make "rounds" every other day or something to see patients, remote coders who stopped in the office for some reason, IT support persons with access to shared drives to spreadsheets/data containing patient information, etc, etc.

There are a number of reasons why laptops leave facilities.

Yes, there are many reasons why laptops leave facilities and all the ones you cited are perfectly valid, except for one thing. Why is there patient information on the laptop? That makes absolutely no sense.

You come into the facility for your once a week visit, you connect your laptop to the network and you access the patient information. There simply is no legitimate reason for the patient information to be on any laptop, let alone one that is going to leave the facility.

Re:Why are you doing it in the first place? (1)

SternisheFan (2529412) | about 2 years ago | (#42513969)

Hospice employees need to travel to the dying patients homes, where the ptients are 'home to die', i.e. "hospice"

Re:Why are you doing it in the first place? (1)

Osgeld (1900440) | about 2 years ago | (#42514185)

we have this thing called VPN's, and you can access data on them without having to keep a copy on your personal device, force a password policy and its not perfect, but its better than "oops, I lost 500 patients data in one fell swoop conveniently cataloged and in xls format"

if you keep your data at a central resource, its much easier to do damage control

Re:Why are you doing it in the first place? (0)

Anonymous Coward | about 2 years ago | (#42514407)

There are a significant number of patients in the world who both do not have their own internet access and who live in an area where cellular reception is questionable at best.

Re:Why are you doing it in the first place? (1)

ChrisMaple (607946) | about 2 years ago | (#42515153)

So they take data with them only for those patients they'll be seeing that day, and only the data needed: not SSNs, account payment methods, next of kin data, etc.

Re:Why are you doing it in the first place? (1)

ganjadude (952775) | about 2 years ago | (#42514001)

Hasnt anyone ever heard of a VPN before? it really is not that hard to keep data safe

Re:Why are you doing it in the first place? (2)

wvmarle (1070040) | about 2 years ago | (#42515777)

That requires a network connection. Not every home has an Internet connection, and many that have, do not have easy facilities to connect a visitor's computer to the Internet. And as this is set in the US, I wouldn't consider mobile (3G, 4G data) coverage a given either. So VPN is not an option.

Proceeds of the fine will go to charity (0)

Anonymous Coward | about 2 years ago | (#42513579)

No, not to the same place. But by coincidence, the NFL will contribute a $50,000 fine levied against a player mouthing off against the refs to the North Idaho hospice.

Hey, I'm cynical. Sue me.

What a Joke (4, Interesting)

Charliemopps (1157495) | about 2 years ago | (#42513605)

Having worked on many projects involving various levels of government regulation and compliance, and seeing all the different facets of security and what-not, I can state for a fact that a case like this will be looked at like "It was only a $50k fine? This security hardening project is costing us well over $200k and we still might have a breach that would lead to such a fine. Why are we even bothering?"

We had a project that was basically just a fuzzy match for numbers that looked like credit card or social security numbers and delete them if it found them, just in case they got into a part of the database they shouldn't (like a customers stuck their social security number into their address, and yes, it's happened before) That project cost us $22,000. It ended up being a single line of SQL that ran as part of a service every hour. $50k is laughable. Security breaches like this should nearly bankrupt a company, there is no other way they'll be taken seriously. I'm involved in 5 different projects right now, each of them billing out at over $100k each, 3 of them revolve around privacy issues and government compliance. The fines issued for such breaches aren't even in our paperwork as a concern. The cost of a breach in regards to public image however has a very specific, very large number near the top of the chart. But we're in a business where people are paying attention to such things. These fines should START in the millions because preventing them costs in the hundreds of thousands of dollars.

Re:What a Joke (3, Funny)

Guido69 (513067) | about 2 years ago | (#42513829)

If you've seriously got a viable business model where encrypting a single laptop can bring in $N00k, please let me know.

Re:What a Joke (2)

twistofsin (718250) | about 2 years ago | (#42514041)

I'm trying to wrap my head around how you went from

1. Recognizing the risk 2. Spending 22k 3. And ending up with 1 line of code for it.

I mean, at what point in that expenditure was that line of code developed? That 1 line of code is obviously includes a search string for the databases, and a command to delete them. How was that not obvious to implement?

Re:What a Joke (1)

magamiako1 (1026318) | about 2 years ago | (#42515557)

For what it's worth that's actually not a whole lot of money depending on the development practices of the organization.

* Cost of resources used (PCs, software, servers, etc.)
* Development, QA, Lifecycle
* Project Managers, Managers, Business Analysts, Developer

Re:What a Joke (1)

Anonymous Coward | about 2 years ago | (#42514203)

I only charge $11k per line of SQL!

Also if they nearly bankrupted this hospice the patients might die!

Re:What a Joke (3, Interesting)

jklovanc (1603149) | about 2 years ago | (#42514913)

Perhaps the fine was sized to cause pain to the organization and not kill it. Everyone makes mistakes and there are consequences but those consequences should not be fatal. Now if it happened a second time the fines should be much larger. A third time should bankrupt the company.

I work in HIPAA data, $50k fine is reasonable (0)

Anonymous Coward | about 2 years ago | (#42513701)

You can never "undisclose" facts like home addresses of HIV patients,
patient names taking socially stigmatizing drugs, phone numbers and mental disorders, etc.

Bank-fraud mentality doesn't work in medicine : we cant "replace" the amount lost.

RULES
1. DONT put private patient data on your laptop (HIPAA identifiers)
2. ENCRYPT data in those very rare care delivery circumstances where you actually need HIPAA data on your laptop
3. DE-IDENTIFY information you dont really need: you dont need patient names for research except in rare cases

$50k fine seems reasonable penalty to kick people out who aren't capable of basic safeguards.

I defend your health data and I approve this message.
--Anonymous Coward

Price of your privacy. (0)

Anonymous Coward | about 2 years ago | (#42513721)

So it has been revealed: your medical information costs about 113USD. Don't sell it for any less!

Patients don't get a penny of it. (0)

Anonymous Coward | about 2 years ago | (#42513755)

Why does the government get any of it?

-or- they learned another lesson... (3, Insightful)

bradorsomething (527297) | about 2 years ago | (#42513765)

When you lose one laptop worth of patient data, don't tell anybody.

Should not be on there in the first place, at all. (2)

markdavis (642305) | about 2 years ago | (#42514421)

I love all the immediate "encrypt it" comments. Yes, that would be helpful, but the bigger question to ask is:

"Why would such data be copied onto a laptop in the first place?"

We keep hearing stuff like lost laptops and flash drives over and over. The reality is that sensitive data like this shouldn't be on those devices in the first place. One would think it would be accessed only on secure servers through approved clients and methods. Most facilities' HIPAA guidelines specifically forbid copying such information off the servers in the first place (expect by I.T. for backup) regardless if it is encrypted or not. Seems like employees in the organizations just ignore that.

Encryption can be broken.

Re:Should not be on there in the first place, at a (1)

magamiako1 (1026318) | about 2 years ago | (#42515571)

How do you propose we handle this?

If it's a web application it's reasonable to assume that browser caching would cache certain data on the hard drive. Even "clearing cache" would only delete the headers and not securely delete all of the data. With IE, you can enforce a GPO that tells the browser not to cache data retrieved over HTTPS ; but this is assuming that HTTPS is used for internally connected systems (often times they're not), and it assumes the user is using Windows in an Active Directory environment.

The other thing is policy. I work in an organization developing policy surrounding HIPAA data and I can tell you that it's significantly easier to have a global overall encompassing policy than it is to separate out what data should and SHOULDN'T be copied off of the server. If a user has read writes they have the rights to copy data to their HDD. So we treat all systems, even ones not directly involved in dealing with HIPAA data as the same. It makes it much easier to say with certainty that appropriate security measures have been applied.

Re:Should not be on there in the first place, at a (0)

Anonymous Coward | about 2 years ago | (#42515885)

There is also the need for datasets to be analysed by Claims and Finance for trends. In some cases Claims needs to know which/what are the top areas and why/how much they are paying out or expecting income from. [I work for a healthplan. you will not believe how much data analasys takes place... mainly for 1 reason, reduce costs/improve bottom line.

First kill the weak (1)

hyades1 (1149581) | about 2 years ago | (#42514485)

This is just a case of following the good old, tried and true tax department/RIAA solution. You go after the small, weak, vulnerable targets. The big ones are likely to defend themselves with armies of lawyers and keep your sorry ass in court for the next hundred years.

Basically, it's much easier and safer to kick a dog with no teeth.

This is why Chromebooks are #1 on Amazon (1)

fsterman (519061) | about 2 years ago | (#42514511)

If there is a definition of cloud computing, it's the abstraction of administration. Managers at a hospice in Idaho are not qualified to make IT decisions about encryption. Even Microsoft's cloud is more secure than what they can put together : ) Combine bio-authentication with a website white list and you eliminate all passive/opportunistic attacks.

cloud computing needs a good data plan and coverag (1)

Joe_Dragon (2206452) | about 2 years ago | (#42515267)

cloud computing needs a good data plan and coverage. Based on needs and how the cloud is set up (something on live like) will need a lot more then a 5GB cap. and say $10 a gig after 5gb can add up very fast.

Portablity? (1)

elkto (558121) | about 2 years ago | (#42514573)

Part of HIPPA was to address information portability. While it may be better, patent information portability is painfully lacking. When will this be addressed with the same gusto as the privacy portion?

So they already failed an audit and ignored that (1)

gelfling (6534) | about 2 years ago | (#42514741)

Any HIPAA audit would have found just that deficiency.

Its who you know... (0)

Anonymous Coward | about 2 years ago | (#42515843)

Thats why the big boys can just bribe the investigator to shove it under the table....

yeah... you... Humana, Arcadian, Kaiser.... I know of instances where from each of you got away with it..

Shit software (5, Interesting)

Jarno Hams (1362467) | about 2 years ago | (#42516027)

I am going to assume the hospice is in a similar boat we are... and i will explain how its not as simple as the wand waivers above try to make it sound. I'm essentially the brat mentioned above. Small practice with about 7 providers and about 50 machines... Probably 50/50 desktops and laps. we use a shitbox EHR that was shoved down our throats because our old vendor sold the code to the highest bidder to acquire clients. Me and and 3,000 other clients are stuck with a "new" shit product, $100,000 in debt and India to call for "support". we don't have $22k for one line of SQL code. the EHR requires local users to be admins. Mind blowing. A gpo restriction against data to the local renders the box useless. No matter how many learning moments, hand slaps and write ups you have , users will never understand the difference between My Documents and the shared network drive where stuff is supposed to go. Ironically doctors are the worst. I wrote hundreds of pages of HIPAA policy and then tried to figure out how to encrypt and secure 50 xp machines running on aging dell 2350's/3000's and d510's. state hipaa auditor says we need essentially another $100,000 worth of new stuff and encryption. There is zero IT budget. I just yanked all the drives and am pxe booting thinstation to a terminal session. in the follow up, the auditor agreed it satisfies the encryption issue 100%, and she had never heard of that or seen it done but applauded me. There are thousands of office just like me who have no budget and are already drowning in debt from the non-free software rapists. The number one argument you will get from the business owners is no budget. dwindling reimbursements coupled with exponentially expensive responsibilities like this article make for a rough combo. I feel bad for the chaps in bumblefuck Idaho. They are probably barely scraping by, then this... I'd pitch the same solution i used that passed the hipaa audit to any of these other offices out there you might find who need help but can't afford anything else. Pass it on. /$.02
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?