Wednesday, November 21, 2012

HIPAA and reverse incentives

Last week I visited ISA New Englands November member meeting and one of the talks was by Karen Borton about HIPAA. Really good walk through of a complex subject.

Major HIPAA breaches (500+ affected users) are published by the NHS on their website. If you look at the list you can see that most breaches still are "forgot laptop on the bus" kind. Is this because that is the most common attack vector or just because that issue is easy to discover?

Most companies that are covered entities do encrypt all laptops in order to ensure that a lost laptop does not result in a potential breach and notification but it is still quite uncommon that all PII and PHI is encrypted at rest. In contract it is quite common that the same companies encrypts credit card data as PCI more or less requires encryption.

In one recent breach the state of South Carolina PII was stolen as well as credit card data. The end result was that PII will now be encrypted within the organization.

Given the current state of regulation perhaps it takes an attack on that specific organization to raise executive awareness to actually start moving on this issue? On the other hand clearly the laptop encryption issue did somehow get noticed and actioned on throughout the industry so perhaps there is still hope.

1 comment:

  1. Thanks, to post it. HIPAA, group family health insurance coverage typically may not charge likewise situated people different rates or efforts, based on a wellness factor. Strategic Analysis