Encryption is an imperative security measure for all healthcare organizations; however, many have yet to adopt it because HIPAA doesn't enforce any sort of encryption standard for protected health information (PHI). Instead, the HIPAA Security Rule classifies data encryption as “addressable” rather than “required,” meaning each organization if left to decide if implementation would be reasonable and appropriate. Leaving a critical security measure like this up for interpretation and discretion does not give patient privacy the priority it deserves. This leaves a dangerous opening for hackers who can easily intercept personal data being sent to a facility or being stored on unprotected servers and devices. Because PHI is frequently stored and transmitted in electronic in format, the inherent security risks that come along with that must be addressed.
Kirk Nahra, an attorney that specializes in privacy and information security issues, recently weighed in on the debate for revising the HIPAA Security Rule. His stance is that changes are not needed because of the way it was written in the first place. He argues that because it’s very process-oriented, requiring organizations to conduct ongoing assessments to evaluate their level of risk and adjust accordingly, it allows them to constantly evolve along with changes in technology and the threat landscape. The problem is, that doesn’t seem to be happening – or, if it is, not at an adequate pace or scale. There are still many healthcare organizations that have avoided the implementation of encryption because it is time-consuming, complex, and expensive. For small practices, the cost alone is enough to put it off in the hopes that they won’t suffer a breach. And without real consequences, it stands to reason that organizations will continue to avoid the problem, and in doing so, put their patients at risk.
Other industry leaders take the opposite approach. “Any identifying information relevant to a patient…should be encrypted,” said David Kibbe, the CEO of a nonprofit focused on the secure electronic exchange of PHI. What he’s saying makes a lot of sense. The primary risks for patient data are loss and theft, and the consequences of both are much less severe with the use of proper encryption. With that in mind, healthcare organizations and CIO’s alike should not delay their efforts to protect patient data by using encryption and ensuring that the level of encryption conforms to industry standards. This will not only safeguard their patients, but their business will be more protected as well. In fact, preparing for data breaches by way of implementing encryption can prevent costly and damaging lawsuits.
The number of lawsuits related to protected health information has grown significantly in recent years. This is likely the result of increasing security threats that health organizations face, as patient data has become so valuable. One might think this would compel these organizations to take the necessary, albeit cumbersome, steps to protect themselves and their patients, but instead, it appears that most are resigned to vulnerability.
A judge in the Massachusetts Superior Court recently ruled that a plaintiff had the right to sue a health system for a medical records breach. In essence, the outcome of the Walker et al. v. Boston Medical Center Corp. case means that when a medical institution exposes private data, even if that exposure doesn’t result in any actual harm to the patient(s), they should still be held accountable. Therefore, the mere potential for injury allows an individual to sue.
In another case, the UCLA Health System suffered a data breach in July 2015 and is now facing a class action lawsuit as a result of being hacked. Perhaps serious financial implications are needed to spur organizations into action.
Business associates cannot be left out of the equation either. A dental software vendor was fined $250,000 by the Federal Trade Commission due to false advertisements about the level of encryption they provided to their customers. The company used insufficient methods for protecting patient data, well below the recommended industry standard as set out by the National Institute of Standards and Technology, and made “deceptive claims” about the software’s capabilities. This should serve as a cautionary tale to healthcare organizations so that they don’t rely solely on a vendor to meet their security requirements.
The bottom line: healthcare organizations must implement a robust risk management strategy that focuses heavily on data security in order to protect their patients. A core tenant of risk management includes limiting damages from events that are preventable. That’s not to say that all risks can be eliminated entirely, but there should always be a plan in place to minimize and respond to any cybersecurity failures. Security technology including data encryption is just one component of enterprise level risk management, but an extremely important one.