Organizations Consider Expanded Use of Encryption
The recent hackings of health insurers Anthem and Premera Blue Cross exposed the sensitive data of tens of millions of people. These incidents exemplify just how insecure protected health information (PHI) is, even two decades after the implementation date of the HIPAA Security Rule, intended to protect sensitive patient information from exposure.
The hacks are more maddening because one of the best defenses against them is widely known-encryption. Both payers acknowledged that the data accessed wasn't protected by encryption.
Encryption is commonly used in healthcare, in some situations. For example, it is standard practice to encrypt PHI being transmitted between organizations or individuals. Encryption is also typically used to protect data on mobile media, such as USB drives, tablets and laptops.
But it's not common to encrypt data that's "at rest"-residing in electronic health records systems, insurance membership databases and a range of other information systems used almost constantly. That's because encryption slows processing systems-it takes time for encrypted data to be decrypted for a user, then re-encrypted when that user is done with it.
But with the advent of sophisticated hacks, such as those at Anthem and Premera, the tradeoff of data protection for processing speed is being called into question. At the same time, providers worry about the impact that much slower processing speeds will have on system usability.
How big an impact?
The extent to which encryption impedes data processing depends partly on the amount of data involved, says Jeremy Molnar, a vice president at CynergisTek, a health information technology security consultancy. That's because encryption works by coding a chunk of data at a time-so if the data can be easily broken down into fragments, the encryption process goes more quickly.
Providers have traditionally not encrypted data at rest in databases, believing the risk of exposure was higher for data being transmitted. Also, many organizations are financially strapped, and they've tried to limit data protection expenses, says Linn Freedman, a privacy and security attorney at Robinson & Cole, a law firm in Providence, R.I. "Now, with significant cyber incidents, the healthcare industry is looking at this in a whole new light," she adds. "The risk management analysis has changed."
Recent events have spurred clients' interest in encryption for data at rest, Freedman says, adding that some companies are moving toward a transitional phase of implementing the technology. Many clients now better understand the need to improve security and want to take action, and others now are more receptive to the idea. "From a risk management and privacy perspective, encryption is the way to go and is becoming a best practice."
Healthcare organizations have hesitated to invest in encryption technology primarily because the cost takes dollars away from patient care, Freedman notes. These types of security costs aren't offset by reimbursement from other organizations or insurers, and it represents a large investment for smaller provider facilities.
But the cost of leaving data at rest unencrypted is starting to mount. For example, Anthem is offering credit and identity theft protection services to about 78.8 million patients; Premera is offering those services to about 11 million, but the damage to consumers from the Premera breach could be worse because more sensitive information was compromised, Premera noted.
Encryption, while not used to protect all healthcare data, is in wide use in other industries. For example, the Payment Card Industry Security Standards Council, an organization that's developed data security standards that govern the storing and processing of debit, credit and other payment card information, requires encryption of Social Security numbers, except for the last four digits. Molnar of CynergisTek wonders why the healthcare industry won't do the same. "There is no reason technologywise that you can't do this. But companies take shortcuts and they end up getting bit."
What puzzles Molnar most is the belief among healthcare organizations that encryption causes performance issues. He believes this fear is overblown, because few stakeholders actually challenge the hypothesis by testing encryption. Concerns about severe performance issues stem from problems encountered with encryption a decade or two ago, when the technology was far less mature, he adds. Today, delays could range from microseconds to a minute or so, "but if you haven't tested, you don't have a rationale," he says.
Industry stakeholders understand their data is at risk, Molnar says, but many still don't realize that almost every organization's systems could be compromised, and they need to take more control over their systems to mitigate the damage. "You have to adjust priorities; hackers have all the time they need to get in, and we don't have all the money to stop them. Know that a breach is likely, and do what you can do to minimize it," he advises.
Houston Methodist, a six-hospital delivery system, encrypts its inpatient and ambulatory EHRs. The organization considers encryption of data at rest to be a necessary safeguard and a cost of doing business, says Nick Desai, DPM, the system's chief medical information officer.
Log-on times for clinicians at Houston Methodist depend on the amount of data being pulled. It ranges from five to 10 seconds at the low end to 10 to 15 seconds on average, which Desai describes as "a generally accepted lag time," to the occasional 30 to 60 seconds, which he notes "isn't optimal." Single-sign-on technology mitigates the delays, and homegrown software enables clinicians to pause a session and continue it in another room or on another floor without having to sign back in. Houston Methodist is transitioning to an electronic health record system from Epic Systems and is building a virtual private network to more quickly encrypt and decrypt data.
As providers and payers start to look at encryption in a new light, Richard Blech, CEO of encryption vendor Secure Channels, suggests they consider this: "The reality is that there may well be no perpetually sustainable way to prevent intrusions, yet there is a way to perpetually prevent PHI theft. Securing data with the highest levels of encryption possible will render stolen data completely useless to the thief.
With advanced and unhackable encryption, the hacker is left with a bunch of useless bits and bytes that can't be deciphered. The alternative is to continue to leave sensitive data readable and thus hackable, leaving organizations and their patients truly vulnerable."
HIPAA doesn't expressly require encryption of data at rest. Use of the technology is "addressable," meaning if an organization does not encrypt, it must justify use of alternative methods for protecting the data, such as secure servers and intrusion-prevention safeguards.
Attacks on the rise
But "secure" servers increasingly are under attack from the outside, because once a sophisticated hacker tricks an IT system user into providing valid credentials to access a server, the gates are open to the organization's data. With the Anthem hack, a systems administrator shared credentials that provided access to the organization's network. And credentials aren't even needed if vulnerable areas of a network are not patched and firewall rules are obsolete.
The hacked Anthem data was stored in a secure environment, but it wasn't encrypted, the payer acknowledged. In a blog posted on the Ars Technica website for IT professionals in February, as the Anthem breach became public knowledge, Steven Bellovin, professor of computer science at Columbia University, noted that the most sensitive databases are always in use, so the data remains unencrypted.
Many of today's electronic health records systems have built-in encryption to protect data at rest, but often that protection goes unused because of concerns that enabling it might hurt system performance, says Brian Evans, a senior managing consultant at IBM Security Services. So similar to the situation at Anthem, EHR systems are constantly in use and holding the most sensitive of personal information, but are effectively unencrypted nearly all the time.
Fewer excuses available
Encryption technology is better, more user-friendly and less expensive than it was five or 10 years ago, but it's still not perfect, says Doug Copley, IT executive and chief information security officer at eight-hospital Beaumont Health, based in Royal Oak, Mich. Encryption, he contends, is not always the best answer. "Implementing encryption adds complexity, which, in many cases, can slow access to information and cause clinicians a delay in patient care."
However, there is no excuse for not encrypting laptops and other removable devices, Copley says. "If you're not encrypting every laptop in your environment, I would consider that negligence. It's easy to do and just a cost of doing business."
Most organizations understand the value of encryption and many want to move to the technology, says Brad Rostolsky, a privacy and security attorney and partner at Reed Smith, a law firm in Philadelphia.
Many providers and insurers agree that encryption is the standard practice needed to ensure data security, and they are trying to move toward it, Rostolsky says. Some are starting by replacing unencrypted laptops coming out of service with encrypted ones. HIPAA requires healthcare covered entities to conduct regular comprehensive risk assessments; addressing vulnerabilities can be done over time, so projects remain economically feasible, he contends. But, he adds, the fear remains that if an organization encrypts its servers, usability will be hampered because the most important data is being accessed all the time. "With servers, there's a challenge to encrypting information that you need [for the system] to be usable."
A doable task
There are ways to speed access to the data, says Mark Hickman, COO at WinMagic, a vendor of full-disk encryption software. Having an encryption layer woven over an entire electronic file is what causes delays, he contends, but delays can be minimized with proper key management, which automatically unlocks files as authentication occurs. Single-sign-on technology also helps accelerate data access.
Hickman offers this illustration-think of key management as a key ring with keys that support role-based rules governing where a user can go and what the user can do in a network. Authentication is quicker when there are fewer user names and passwords to enter because you have keys that unlock the computer, hard drive and various files and folders.
The use of database encryption generally requires some modification of the database schema to accommodate the encrypted data format, says Evans of IBM. As a result, indexing and querying may be affected. But there are ways to ensure any performance hit is negligible, particularly for providers who have encryption embedded in their EHRs.
Providers rarely work closely with their EHR vendors to find the happy medium between performance and protection that makes encryption feasible, Evans says. Providers should fully engage their vendor to help with enabling built-in encryption functionality or evaluating and implementing additional software that can ensure encryption and decryption processes are transparent to users.
The reality, Evans says, is that opposition to encryption often is out of concern it will negatively impact performance. "It boils down to managerial fortitude to make it happen, and with the proper level of IT expertise," he contends.
Further, the cost of encryption isn't that prohibitive, says Hickman of WinMagic. A 10-physician practice can expect to pay $1,200 to $1,300 for an encryption solution; a 200-bed community hospital faces a first-year cost of about $20,000, and about $4,000 a year afterward for support or upgrades. "For that size of hospital, that's not a lot of money," he says.