On Thu, Nov 13, 2014 at 01:56:04PM PST, Bill Bogstad spake thusly: > I'm not so sure. If the data was encrypted in place (never left his > systems) then > it was never disclosed to inappropriate parties and my reading of that > link is that this would not be considered a breach. Not that this > would make me happy as a patient...
There are several issues here: 1. They likely have no assurance (in the form of some sort of network monitoring, bandwidth graph, netflow/sflow, IDS, DLP, or whatever) that the data never left his systems other than "that's how cryptolocker usually works". Whether the bad guys accessed your data in-place (and clearly they did access it because they encrypted it) or whether they copied it out en-mass is a significant technical difference but a breach nonetheless. Section 13402 of the HITECH Act (a sort of amendment to the HIPAA rules established years ago) requires a Covered Entity (CE, such as a dentist) to provide notification to affected individuals and to the Secretary of HHS following a discovery of a breach of unsecured Protected Health Information. 2. Not only is data compromise/exfiltration a HIPAA-significant event but data loss/unavailability is too. It does not necessarily trigger the breach notification rule but certainly can trigger HIPAA enforcement action if DHHS becomes aware. 3. The lack of backups is a serious issue regardless of this event. I know they said the backups were encrypted too but nobody is going to consider those backups if they were online and accessible to the intruders. All CEs must securely back up "retrievable exact copies of electronic protected health information" (45 CFR §164.308(7)(ii)(A)) which they have not done. With regards to the issue of backups alone they are at the very least likely also in violation of: 45 CFR §164.308(7)(ii)(B) 45 CFR §164.308(a)(1) 45 CFR §164.312(b)(1) 45 CFR §164.312(b)(2)(i) The actual text of these laws can be read here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf 4. The Security Rule of HIPAA requires organizations to “implement policies and procedures to prevent, detect, contain, and correct security violations.” which is spelled out in (45 CFR §164.308(a)(1)). This is a broad-catch all which can be used to nail anyone who has a security incident affecting HIPAA regulated data. Pardon me for shilling as I have never mentioned it before in years on this list but it seems apropos at this point to say that Copilotco publishes a whitepaper on HIPAA compliance which explains HIPAA requirements in a server environment (Linux focused but broadly applicable). Email me if you want a copy. -- Tracy Reed, RHCE Digital signature attached for your safety. Copilotco PCI/HIPAA/SOX Compliant Secure Hosting 866-MY-COPILOT x101 http://copilotco.com
pgpXe8_524r5U.pgp
Description: PGP signature
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
