IU experts: Encryption crucial step in protecting patient records

  • March 16, 2016

Editor's note: This story from The Bloomington Herald-Times is being published here as a courtesy for readers of IU in the News.

By Lauren Slavin

With no evidence to suggest that stolen Premier Healthcare patient data was accessed by hackers, should more than 200,000 patients worry that their medical records, and in some cases financial information, are still vulnerable?

Indiana University cybersecurity experts said that the patient information stored on Premier’s computers should have been encrypted — a step beyond password protection. But more likely than not, those individuals who received letters stating that their demographic, medical and financial information were part of a potential data breach don’t have much to fear.

“If you’ve got personal data on a machine, you should have it encrypted, especially if you have patient records on the machine,” said Fred Cate, senior fellow at Indiana University’s Center for Applied Cybersecurity Research and one of the thousands of Premier patients who recently received a letter from the physician group about the data breach. “It looks like that lesson has been powerfully learned without there being harm to the individuals involved. This could have been much, much worse.”

Premier Healthcare found on Jan. 4 that a laptop from its billing office on South Liberty Drive had been stolen from the locked and alarm-outfitted building, according to a March 3 news release. Premier staff determined that the laptop had been taken on Dec. 31, and filed a police report with the Monroe County Sheriff’s Office at 4:20 p.m. on Jan. 6, Sheriff Brad Swain said.

Between Jan. 6 and the laptop’s return to Premier, no additional police action was taken, Swain said.

The laptop was password protected, according to Premier, but not encrypted. When a computer is password protected, a password needs to be entered before a user can access any of the information or data stored on the computer.

“What that password doesn’t protect you against is if someone were to open that computer up and physically take the hard drive out,” said Von Welch, director of IU’s Center for Applied Cybersecurity Research and a Premier patient who received a letter about the data breach.

Encrypted computers go one step further. If an encrypted computer is stolen, even a hacker who can unlock the machine’s password still won’t be able to see the encrypted data, which is coded into gibberish. An additional, often very long, password must be entered to decrypt the text into a readable format, Cate said.

Encrypted computers are considered safe enough that if a machine with encrypted data is stolen, it is not considered a data breach that needs to be reported to the federal government, according to the U.S. Department of Health and Human Services.

Emails stored on the Premier laptop contained screenshots, spreadsheets and documents including names, addresses, dates of birth, medical record numbers, insurance information and clinical information for 205,748 individuals, according to a Premier news release. Of those individuals, 1,769 patients’ Social Security numbers and financial information potentially could have been accessed on the laptop.

After a data breach that affects more than 500 people, businesses covered by the Health Insurance Portability and Accountability Act are required to notify the secretary of the U.S. Department of Health and Human Services, affected individuals and the media no later than 60 days following the breach.

Premier Healthcare submitted the data breach information to HHS on March 4, according to the information on the breach portal for the U.S. Department of Health and Human Services’ Office for Civil Rights.

On or about March 7, the laptop was returned to Premier’s billing office by U.S. mail. Indianapolis-based security consulting firm Pondurance analyzed the laptop and determined that the machine had not been used since it was taken from the office on Dec. 31.

While “it is still possible somebody could have opened the machine up, taken the hard drive out and imaged the hard drive,” Welch said, both IU cybersecurity experts are skeptical that is what actually happened.

“It’s an odd thing for someone to have stolen it and sent it back,” Welch said. “Their motivations, to be quite honest, are a mystery to me.”

Cate compared the situation to a data breach in 2006 that affected millions of veterans. Computer equipment stolen from the Department of Veterans Affairs containing 26.5 million veterans’ names, birth dates and Social Security numbers was found wiped of any data and information.

The people who stole the equipment wanted the computer, not the data inside, Cate said. He believes the Premier situation was the same.

“This would all suggest the scenario really was the computer was taken and never exploited before it was gotten back,” Cate said.

Premier said in a news release that the physician group now is working to encrypt all of its computers. Welch recommends that individuals who were notified that their medical or financial information was at risk should check their billing information for irregularities.

“People should keep an eye out for bills showing up with medical services they didn’t receive or strange diagnoses appearing on their record,” he said. “It’s always a good idea to do credit monitoring, or even to do a credit freeze.”