recommended reading

Stolen TRICARE health records did not meet federal encryption standards

Computer tapes containing health care information on 4.9 million TRICARE beneficiaries stolen from the car of a Science Applications International Corp. employee in San Antonio, Texas, earlier this month were not encrypted in compliance with federal standards, SAIC said.

The Texas TRICARE data theft is the largest health data breach since February 2010, when the Health and Human Services Department began requiring health care organizations to post on a website breaches of health information affecting more than 500 people.

Vernon Guidry, an SAIC spokesman, said in a statement that "some personal information was encrypted prior to being backed up on the tapes." But, he added, "the operating system used by the government facility to perform the backup onto the tape was not capable of encrypting data in a manner that was compliant with the relevant federal standard."

That facility, which Guidry did not identify, "was seeking a compliant encryption solution that would work with the operating system when the backup tapes were taken."

The Health Information Technology for Economic and Clinical Health Act, part of the 2009 American Recovery and Reinvestment Act, requires health care organizations to ensure that patient information in health records is unusable, unreadable, or indecipherable to unauthorized individuals. In August 2009, HHS published an interim rule requiring either encryption or destruction to ensure the security of health records.

That rule cites guidelines developed by the National Institute of Standards and Technology that say federal agencies should encrypt data using the Advanced Encryption Standard, developed by NIST and adopted as a federal standard in 2002.

TRICARE did not respond to queries from Nextgov about the data theft. It is unclear what kind of encryption was used in San Antonio and why it did not adhere to federal standards.

HITECH also requires health care organizations to conduct risk assessments of the security of patient data, and Sean Glynn, marketing vice president for Credant Technologies, a data security firm in Addison, Texas, said such assessments should focus on physical as well as cybersecurity.

Referring to the San Antonio data theft, Glynn said he was surprised that a computer tape containing millions of health records was left in an SAIC employee's vehicle for an entire work day. Glynn said he would suggest using an armored car to transport such a large amount of sensitive data.

Credant provides technology to ensure that backups of health care information cannot be performed without automatic encryption, ensuring enforcement of encryption policies.

Roughly 60 percent of the data breaches posted on the HHS website since 2010 involve the theft or loss of laptops or magnetic media such as thumb drives. Glynn said this indicates that the security of health information is a human issue that requires training and strict enforcement of security policies.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    View
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    View
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    View
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    View
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    View
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    View

When you download a report, your information may be shared with the underwriters of that document.