TRICARE data breach shows (again) why encryption of removable media is essential

The Department of Defense’s TRICARE program disclosed last week that backup tapes containing medical records on nearly 5 million active-duty and retired military personnel and their dependents were stolen from the car of a contractor who was transporting the tapes. According to spokesmen for TRICARE and the contractor (SAIC) quoted in the media, only some of the personal information included on the tapes had been encrypted prior to backup, and that encryption apparently did not satisfy government standards for strength of cryptographic modules. More surprising is a statement attributed to a TRICARE spokesman that the military healthcare provider does not have a policy on encryption of backup tapes. The TRICARE Management Authority (TMA) provides a link on its website to a June 2009 memo from DoD Senior Privacy Official Michael Rhodes that issues department-wide policies regarding “Safeguarding Against and Responding to the Breach of Personally Identifiable Information (PII).” This memo, among other provisions, refers to the DoD’s statutory obligations for protecting PII, specifically citing government-wide guidance from OMB in Memorandum M-07-16. This OMB memo, and M-06-16 that preceded it, require all federal agencies to encrypt agency data stored on portable devices, and to use encryption complying with the FIPS 140-2 standard. The language in M-06-16 is even more explicit, directing agencies transporting or storing PII offsite to use encryption during transport and for storage at a remote site. The DoD also has policies in place requiring that that all electronic records containing personally identifiable information be categorized at either moderate or high impact levels, and mandating encryption at rest (including storage on removable media) for all data categorized as high impact.

Reports of this latest breach often note that the number of individuals potentially affected makes this the largest breach of protected health information since the federal health data breach notification and disclosure rules went into effect in September 2009. Those rules provide an exception for lost, stolen, or otherwise compromised health data that is encrypted, giving healthcare organizations a strong incentive to implement encryption even where it is not required (under the HIPAA Security Rule, encryption of electronic PHI in transit and at rest is “addressable” rather than required). For government entities however, there seems little basis on which to argue that encryption is optional, since even where PHI-specific policies allow for discretionary use of encryption as a security control, agency-level and federal policies on the protection of all personally identifiable information obligate agencies to use encryption for data while in transport.