80 million? Is a breach of protected health information at Anthem for upward of 80 million individuals enough to push America’s healthcare industry and its regulators to get more serious about encryption?

It wasn't so long ago that the HIPAA privacy and security rules were updated, and yet today they are already wildly outdated. We need another rework and soon; the onslaught of organized and sophisticated hacking for profit by criminal enterprises compels it.

These hacks are not new, but the intensity and size of these breaches continue to grow. So far, the Department of Health and Human Services hasn’t made the jump to flat-out mandate encryption of PHI at rest whenever possible--even though it should have done this long ago. Now it really has no choice, but the question remains: Does the industry have the fortitude to enforce such a mandate?

Yes, encryption is expensive, and slows down computers and doctors will yell. And there are times when running the business means data remains in an unencrypted state. In a blog posted at Ars Technica, Steven Bellovin, professor of computer science at Columbia University, contends that the most sensitive databases are always in use so they are effectively decrypted. In these cases, access control must be far more robust than it was at Anthem.

But every type of business has a cost of business, and encryption where possible has to become one of the costs for healthcare. Many years ago, the government made a deal to license the use of SNOMED CT, enabling the industry to use the coding set for free. Not many healthcare organizations took advantage of the freebie, but maybe that is a model the government can use to make encryption more affordable and doable.

Government agencies that regulate other industries also must get far more aggressive on encryption. So many Americans have been affected by breaches in the financial and retail industries, and while those and other industries already have better security than healthcare, the risks faced by the public are still unacceptable.

In healthcare, a ton of work remains to secure PHI and on Feb. 5 it became clear that the industry and government must respond. To fail would imperil industry moves toward accountable care, population health management and value-based reimbursement, all of which require substantial use of PHI.

How do we engage patients and liberally use their PHI for data analysis and other functions if we can’t protect the data? HHS Secretary Sylvia Burwell may have thought there were higher priorities under health reform than encryption and there surely were. But not now.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access