Will the healthcare industry finally move towards the use of encryption in hospitals and other healthcare facilities to protect vulnerable patient and hospital data? More and more preventable incidents keep occurring that put patient information at risk.
A 2015 data breach study estimated that breaches cost the healthcare industry about $5.6 billion annually. As healthcare moves toward more connected care, the amount of data exchanged between organizations will only grow. This is exacerbated by more consumers entering the market because of healthcare reform and the frequency with which patients need to exchange information among numerous providers. This area is a rich target for anyone intent on stealing protected health information (PHI) for financial gain. Data breaches are already happening. So what does this mean?
It means that in 2016, we’re going to see a huge movement towards encryption in hospitals and other healthcare facilities. According to a 2014 Healthcare Breach Report, 68 percent of all healthcare data breaches since 2010 are due to device theft or loss. The headlines make it appear that hackers are attacking databases, but the reality is most of the problems are from unstructured content inside documents. And those documents are not encrypted. Encrypting data is vital to protecting patient information. This is no longer an option, but a requirement.
A recent example of the problem occurred at Centene Corporation in St. Louis, MO. On January 25, 2016, Centene announced that it lost or misplaced six hard drives with personal information of about 950,000 people. Information on the hard drives included names, addresses, dates of birth, Social Security numbers, member ID numbers and health information. The company did not specify if the data on the hard drives was encrypted, but I assume it wasn’t or this would not be considered a data breach event.
Another example was a missing storage device from Indiana University Health Arnett in late 2015. This had PHI of about 30,000 people. This is the second data breach by IU Health Arnett in 2 years. The company lost a laptop with patient data in 2013.
If hackers and other criminals have access to this information, it’s easy to conduct phishing attacks that target patient accounts, including committing fraud. It also invites blackmail and access to bank accounts.
Both healthcare organizations said they are reviewing procedures, security and training to ensure these incidents don’t recur. It looks like it isn’t working. No matter how hard we try to educate people, things happen. We make mistakes and data breaches are the result.
The only way to stop this problem is to encrypt the sensitive data as its created. This eliminates the human element. If the data was encrypted in each case, there would be no data breach event. According to HIPAA rules, if PHI is rendered unusable, unreadable, or indecipherable, a data breach notification is not required. According to the rules:
The guidance specifies encryption and destruction as the technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals.
Security breaches will occur, so it’s best to implement technology that protects you, your patients and employees. Strong encryption with dynamic security policies is the only way to prevent HIPAA violations.