Reprinted from REPORT ON PATIENT PRIVACY, the industry's #1 source of timely news and business strategies for safeguarding patient privacy and data security.
September 2011 Volume 11 Issue 9
After thieves stole 57 hard drives containing information on about 1 million of its members, Tennessee BlueCross BlueShield resolved that a similar incident — and subsequent cleanup — would never happen again. The insurer recently announced that it has spent about $6 million encrypting all of its data at rest.
While encryption is not required, the HITECH Act made it a safe harbor for covered entities (CEs) and business associates under the security breach notification provision. Privacy and security experts view this provision as an implicit mandate for encryption (RPP 5/10, p. 6).
HHS released guidance on April 17, 2009, on making patient data unusable, unreadable or indecipherable to unauthorized users and defined the states in which data can exist: in motion, at rest, in use and disposed. The guidance also gave CEs two choices for safeguarding it: encryption or destruction (RPP 7/09, p. 5).
The plan to encrypt its data in all of the states had become “more of a philosophy” at BlueCross BlueShield of Tennessee, says Michael Lawley, vice president of technology shared services. The insurer had planned to adopt encryption as the technologies became available. The company had already encrypted its laptops and mainframes. “Those techs were already robust and had been tested,” Lawley tells RPP.
After the theft occurred in October 2009, Lawley says the company kicked into high gear and not only reviewed all of its policies and procedures, but also began a meticulous inventory of all the places where data reside in the organization. They took a “maniacal approach” to the task because “we wanted to make sure that we didn’t go through this journey and then have to repeat it,” he says.
The insurer spent $6 million, 5,000 man hours and just over a year to encrypt all of its data at rest, including 885 terabytes of mass data storage, 1,000 server hard drives, 6,000 desktop and laptop computers (including removable media ports), 25,000 phone call recordings and 136,000 volumes of backup tape.
Lawley notes that, while they were conducting the inventory, they didn’t come across anything he would call a “bad practice” being conducted by one or more employees. But, he says, they “discovered a few locations where data sat that we had not originally considered, which slightly increased the scale and scope of the project.” For example, the company has a machine for special printing projects that was not encrypted. Another area was multifunctional devices for printers. “The information doesn’t sit there for long, but it is data at rest,” he says.
The theft seems to have been a psychological blow to the company. “Our business is built primarily off of trust, so our very first reaction was concern that it would do damage to the trust relationship with our customers,” says Lawley.
While other CEs drag their feet when it comes to encryption and complain about the cost, Lawley says it was worth the investment to regain their members’ trust. He also points out that the price tag stemming from the breach and resulting notification process cost the company about $10 million. So encryption is “insurance for an insurance company.”
Lawley says he reached out to multiple organizations in the information technology industry to try to find another CE he could talk to and find out how they had handled their encryption process. He says he never found anyone, but adds they might just not have made the project public knowledge.
He says the Blues plan decided to be open about the project because “we want people to learn what we went through, to share our experience. We are being very transparent; we have rebuilt the trust.”
Read about the project at www.bcbst.com/learn/special-information/data-encryption
No comments:
Post a Comment