The self-encrypting drive you may already own

http://www.zdnet.com/the-self-encrypting-drive-you-may-already-own-7000024797/

 

An of interest quote from that article:

Makes one suspect that HIPAA, and perhaps other regulation, is less strict than it should be. Spotted some questionable things at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html, but don't have the time to try to think things through.

 

I am not okay with this and would like to know what jurisdictions that "safe harbor" rule applies.

If my mind is working right this morning, that says if a notebook with patient data on it is stolen, they (those responsible for keeping the notebook and data secure) do not have to notify the patients if the drive was encrypted.

I don't like it for 3 main reasons. (1) This is all about saving the keeper of the notebook and patient data from embarrassment (and apparent scrutiny) for failing to do their job of protecting patient privacy. This article is all about hiding or covering up their screw-up, and nothing about keeping "us" and our data safe.

(2) It assumes the encryption cannot be broken.

(3) It "appears" to go on the honor system where the keeper can just claim the data was encrypted - they do not have to prove it.

 

Having several clients that are in doctors offices, pediatrician offices, hospitals, etc. HIPAA laws are strict, but audits are few and far between. There is a checklist they offer from the IT standpoint.

http://www.ihs.gov/hipaa/documents/ihs_hipaa_security_checklist.pdf