In light of pervasive security threats, why not encrypt everything?
In healthcare, we all know what a breach is. Generally, it’s an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information.
We all know what protected health information is, or at least we should, by this late date. The requirement has been around since 2009: it is personal health information that is not rendered unusable, unreadable or indecipherable.
Further, information released to unauthorized persons may be rendered unusable, unreadable or indecipherable through the use of a technology or methodology specified by the Secretary in guidance, such as encryption for electronic PHI.
I was doing some research for a client recently, which is currently under an OCR investigation for a breach that occurred in 2013. I went to the HHS “Wall of Shame” in mid-March and discovered that there are currently 1,496 reported breaches of more than 500 records; the most recent of those was posted on March 10, 2016.
The sad part of this is that the vast majority of the early breaches came as a result of lost or stolen information, not as a result of hacking incidents, as may be popular suspicion. Admittedly, some of these breaches have involved lost or stolen paper records, but a majority of the incidents were a result of lost or stolen electronic data, contained on laptop computers, tablets, flash drives CD-ROMs, smartphones and the like.
So let’s focus on just the breaches of ePHI. Let’s just agree that at least 50 percent of both the incidents and affected persons were a result of electronic PHI and not lost or stolen paper. The client for which I was working got into hot water because of a stolen laptop that was not encrypted. It happened in 2013, was reported in 2013 and the investigation began in 2015.
So here is the basic question: Since encryption of electronic PHI is the only true safe harbor of protection offered to providers, why not encrypt everything, whether it’s portable or on the desktop? Today, encryption tools are embedded in current operating systems and come with almost every device purchased. Why not use it?
I would guess that if most of the names on the “Wall of Shame” could go back and do things differently, they would jump all over encryption. I know the client with whom I worked sure would.
Whatever the financial and human capital costs to encrypt all electronic devices (and it would not be that great these days), it pales in comparison to the costs of handling a breach, not to mention the imputed value of reputational damage.
As the stakes rise for keeping information secure, the industry needs to re-examine long-held practices—or the lack thereof—to protect patient information. Any cost that offers protection against the damage of a hacker’s cyber attack now appears to be a defensible cost.