Preventing a Privacy Breach Is Less Expensive Than Managing A Privacy Breach!

Posted on March 4, 2019 by Jean Eaton in Blog

Do you have a privacy breach awareness program in place in your healthcare practice? Spotting a privacy breach is the first step to stopping a privacy breach. You Can Use This Privacy Breach Example to Review and Improve Your Practices.

In May 2018 an employee of the NWT was travelling on business in Ottawa.

The employee left the laptop in a locked vehicle. The laptop was stolen. The employee thought that the laptop had been encrypted; however, in the investigation it was determined that the laptop was not encrypted.

Loss of Control of Health Information

The employee had authorized access to the health information to perform statistical analysis for their job. The employee thought that the laptop was encrypted and that it had a secure password.

Later, when the theft was reported to the NWT Health Department and an internal investigation was conducted, it was determined that the laptop had not been encrypted.

There was a large amount of data on the laptop – an estimated 80% of the NWT's population might be affected by the breach.

Apparently, the laptop has not been recovered.

In 2018, the NWT Privacy Commissioner reported the investigation.

In February 2019, the investigation about the incident is still being reported in the media! The NWT Health Department has provided reams of information about the information that was included in the breach.

This breach was entirely preventable.

Keep this story in mind when you are trying to determine the return on investment to purchase a robust privacy and security management plan for your mobile devices and remote access to health information.

You can pay a little more now and ensure that your devices are securely encrypted with secure access and remote-wipe abilities and privacy awareness training . . . or you can pay over and over again for an investigation and bad publicity that never ends!

Privacy Breaches – What You Need to Know

Preventing a privacy breach from common sources of risk is usually far more cost effective than managing the privacy breach investigation!
Password protection of your laptop, smart phone, or USB device is NOT the same as encryption. Make sure that your mobile devices are encrypted. If you are not sure, find out from a reputable certified IT technician.

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

References and Resources

N.W.T. employee dug through planters, trash to find stolen laptop, weeks after privacy training. Priscilla Hwang · CBC News · Posted: Feb 26, 2019 https://www.cbc.ca/news/canada/north/stolen-laptop-nwt-security-details-ottawa-1.5024775

#PrivacyBreach, encryption, Prevent privacy breach, stolen laptop

Privacy Challenge #5 Secure Computer Backup

Posted on October 19, 2015 by Meghan Davenport in 15 Day Privacy Challenge

Secure Computer Backup

You know that Joni Mitchell song, Big Yellow Taxi? “Don't it always seem to go that you don't know what you've got til it's gone.”

This couldn't be more true than when your computer crashes. It's a terrible feeling when your software or hardware suddenly doesn't work, or you can't find an important file you know you had last month. This experience can be a speed bump on your busy day, or a nightmare that takes you days and weeks, and a lot of money, to recover.

#15DayPrivacyChallenge, #CyberAware, 15 Day Privacy Challenge, backup, encryption, Practical Privacy Coach, privacy

Stolen Laptop Results in Privacy Breach

Posted on January 25, 2014 by Meghan Davenport in Blog

A laptop with the unencrypted personal health information of 620, 000 Albertans was stolen in September of 2013.

The laptop, belonging to an information technology consultant for Medicentres, was stolen on September 26th, and contained the names, dates of birth, provincial health card numbers, billing codes and diagnostic codes of individuals seen at Medicentres between May 2, 2011 and September 10, 2013.

The process of notifying the public was delayed because Medicentres was trying to figure out how to best do it, chief medical officer Dr. Arif Bhimji said.

“…[T]his was the first time ever having to deal with this sort of situation and it took a lot longer than we would have liked it to take.”

Questions are now being asked as to why the consultant had access to so much information, and why the laptop's data was not encrypted.

Privacy Commissioner Jill Clayton is launching an investigation into the event, and the probe will also be taking a wider look of how privacy breaches are reported in Alberta.

For more information about this privacy breach, visit CBC.ca.

Are you concerned about what your organization would do in the event of a privacy breach? Would you know how to handle it? Visit our Training Calendar for more information about an upcoming webinar!

Alberta, breach, encryption, health information, privacy, privacy breach

Where is Your Encryption Key?

Posted on December 4, 2013 by Jean Eaton in Blog

Good business practices include having regular backup of your key documents, bookkeeping, website, emails, and databases including your Electronic Medical Record (EMR). If your information is personal or sensitive – to you, your client, or your business – the backup should also be encrypted.

Your backup plan should include a backup of your information in a separate location than the source documents. In case of a catastrophic failure – including bad weather, fire, theft – you can access your key information assets quickly. You could manage the backup yourself or outsource it to a remote backup provider.

So here's the question – where is your encryption key? Your encrypted backup files need a ‘key' or algorithm to de-encrypt the files so that you can read and access the information. Have you kept a copy of the encryption key in the same place as your source documents? Or have you kept the key in a separate location – away from the source documents and away from the backup files? Have you recorded in your disaster plan how to retrieve the key?

Carl Young of PlanetCom Inc, an IT Solution company in Sherwood Park, AB reports an increase number of ‘Cryptolocker' attacks to small businesses where business are being held ransom to recover their own data. Hackers embed a virus into an email which is opened by the business. The virus encrypts all of the data on the computer network locking out all authorized users until the hackers are paid to restore the data. The amount of ransom can vary, but is around 1 Bitcoin – which sounds cheap enough, but is actually equivalent to around $1100 USD on the open market.

How can you help yourself? First, make sure that you have regular full backups of your computer network. Routinely run a restoration of your backup so that you are sure that all the information that you need – both the source files and the software applications – is accessible. You can't restore the data unless you have your encryption key!

If your backup is on the same computer network that was hacked – or, perhaps, you backup to an external hard drive device that you keep plugged into the network – you will be locked out of both your source data and your backup.

Carl Young suggests taking these steps to prevent being a victim of ‘Cryptolocker':

Backup your data regularly
Encrypt your backup (where needed) and keep your encryption key in a separate, secure location known to more than one key person in the business.
Rotate your backup so that at least one full backup is kept remotely from the source data
Be cybersmart – know how to detect email virus / phishing / scams and install good anti-virus software on your network and your mobile devices that connect to your network. See our blog post “What Not to Do – Keep Your Backup Device Plugged In” for more info.

backup, encryption, external hard drive backup, good security practices

What Not To Do – keep your backup device plugged in

Posted on January 25, 2013 by Jean Eaton in Blog

An Australian medical center is facing the possibility that its patients’ electronic medical records may be locked away forever after hackers broke into its computer system in December and encrypted the files. The hackers captured a medical centre's data and demanded A$4000 to decrypt the information.

While this incident is rare it is a good lesson to ensure that you take control of your data. Ensure that it is secure. Ensure that your data is securely backed up and is segregated from your computer servers. Your must be proactive and monitor your computer network. This may be an appropriate task to outsource to a reputable vendor. Are your plans comprehensive? Is it time for you to schedule your Privacy Practice Review?

See the Technology for Doctors Online story from January 17, 2013, for more information.

backup, best practices, breach, computer network, encryption, external hard drive backup, privacy, privacy breach, privacy practice review, security, security external hard drive devices, segregated backup