Employee fired for a data breach?

I'm sorry, I have heard way

I'm sorry, I have heard way too many stories like this. I feel sorry for the guy who lost his job but....

Bottom line HIPAA suggests that PHI data be protected. HIPAA is so vague in this requirement as to be useless. Section 1173(d)(1)(A), The Secretary shall adopt security standards that take into account technical issues, cost issues, training issues, audit, and lets throw in waivers for everybody who can’t afford HIPAA. That being said Section 1173(d)(2)(B) states that we must protect against any reasonably anticipated threats or hazards to the security or integrity of the information. Um…. so … what are we to take from this? It is left to policy and standards adopted by the organization that may or may not adequately protect our PHI. There needs to be a set of minimum required standards for the industry.

And furthermore, I have a hard time believing that anybody has a car trunk or basement that provides appropriate physical security to adequately protect PHI data. Is it not reasonable to assume that in any urban environment that some time your car could be stolen or broken into? Your house be broken into? Isn't this why we lock them? This same kind of story has been circulated so many times you would think that storing tapes in your trunk or basement would be a well known security faux pas. Now that being said, Section 1173(d)(1)(A) calls out cost as a factor. If I can’t afford offsite storage… well I’ll save a few bucks and throw it in my trunk.

And please, the argument for rapid turn around is empty. If your data is so critical that you need a rapid turn around, invest in the capability to make that happen. If it is that critical, you surely can’t afford to lose it to a thug breaking into your car and stealing the tape. And further furthermore, the lack of encryption was only a small part of the failure. If I own your encrypted tape, there is a distinct possibility that I will own your data depending on what algorithms were used to encrypt. Physical possession is the key (pun intended) Encryption is one element in a sound plan to protect your critical data.

No, the failure is multi level and starts at the top. Money needs to be supplied to build useful policy and standards including a valid DRP, buy the components of a useful disaster recovery capability, and train the staff in acceptable security practices and in how to implement the DRP.

Whew…. That rant was much longer than intended.

I was one of the ones who

I was one of the ones who wrote, and got published, a letter in The Oregonian (the daily paper in Portland) concerning this. I also know someone who had personal medical data on those tapes and got letters from Providence. I also work as the chief technician for my employer and I have had my car broken into several times and company laptops stolen, and I live in Portland OR.

In my case I have always deliberately carried the crummiest laptops I could get, precisely because I only need to carry a laptop to jack into serial ports on equipment, and it is too easy to break them, espically when your trying to do service in a cramped phone closet. So while my hardware was stolen no important data was lost, and I just ended up replacing the window myself, $20 from a wrecker, and buying another $5 laptop from FreeGeek. Big deal, that is life in the big city, folks. Get used to it. Thieves are all over the place, one of the times my car windows was smashed in in broad daylight in the middle of the day when I had walked 50 feet away from it into a customer building to simply drop an item off.

And if you think a data storage service is any better, think again. One time the mailman was purse-snatched 10 feet in front of our door, the thief got the entire mailbag full of mail for 10 or 20 businesses in the area. If they would do that, they would nail a backup tape courier just for the raw tape media.

I think it is important to establish that the failure here was the decision of the hospital to NOT use encryption on patient data. HIPAA regulations pretty much require this and have for some time, plenty of time before this data was stolen. The local paper also indicated that the employee had been told by his superiors that the patient data was encrypted, and he stated this on the police report. Providence has apparently done a lot of work to try to keep the names of the people out of the press - the local paper did print the tech's name at first, when it first happened, but has since not done so. So quite obviously, the high up muckety-mucks at Providence knew they screwed up and were caught trying to cover it up.

I really hope that the hospital CEO did the right thing and fired the CIO or whomever was responsible, rather than the underlings. I also think the people expressing outrage over the "backup practice" need to shut up. Remember, the employee was told the backup data was encrypted, and he did not have a decryption key for it. Sure, he probably lost a couple of $150 high capacity data tapes, but almost certainly he had to pay out of pocket for the smashed window on his car because he certainly had an insurance deductible. If the data had been encrypted then this would have been a complete non-issue.

If the employee followed

If the employee followed written policy, he should not have been fired. If the policy stated that you shouldn't leave the tapes and disks IN YOUR CAR OVERNIGHT, then they did the right thing. And I wouldn't be surprised if the others who resigned were somehow responsible for that ridiculous backup strategy. Maybe it works for a small business, but for a huge healthcare system? Get real.

Sounds to me like this is a

Sounds to me like this is a cover story for a corporation that does not encrypt their back-up tapes (isn't this what got BofA in trouble?) If the tapes were encrypted like they should have been, why is this even an issue?