Why Using Encryption is Not Optional for Healthcare Organizations

GeneFry-200By Gene Fry, Compliance Officer and VP of Technology, Scrypt, Inc.
Twitter: @ScryptInc

For HIPAA covered entities and their business associates, keeping health data protected should be a top priority. Failing to do so can have disastrous consequences, not only by way of the civil and criminal penalties dealt out for breaching HIPAA’s rules, but also the significant reputational damage that can be occurred as a result of a data breach; it is easier to replenish finances than it is to regain the trust of patients whose health information has been exposed.

While no organization is entirely immune from the threat of a data breach, there are a number of day-one security processes that should be implemented to reduce the risks. One of the most critical processes of all is encryption. Put simply, encryption is the process of converting readable information into indecipherable code, while in transit or storage.

Yet, many healthcare organizations appear to be falling short when it comes to encrypting confidential health information – a recent report suggests that more than 55 percent of compromised health records result from a failure to encrypt data, as opposed to just 16 percent of breaches that occur in other sectors. It is these frailties, combined with the fact that medical information is worth 10 times more than a credit card number on the black market, which makes the healthcare industry an increasingly attractive and lucrative target for cyber criminals.

Addressable, not optional
Considering the potentially severe consequences of a healthcare data breach, one would assume encryption is high on HIPAA’s list of ‘required’ security standards, but it isn’t.

There are three sets of safeguards under HIPAA; Physical, Administrative, and Technical. The latter group is broken down into six standards, and within these there are nine areas that organizations need to implement, which are classified as either ‘required’ or ‘addressable’. HHS states, ‘The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework.’

The fact that encryption falls into the ‘addressable’ category, is why confusion often arises; to be clear, addressable does not mean optional. By disregarding encryption processes, organizations leave themselves in a vulnerable position, and increase the likelihood of a data breach occurring.

The responsibility of safeguarding patient data no longer optional for HIPAA covered entities and business associates. Healthcare leaders should place more focus on the threat from data breaches as well as placing an emphasis on protecting sensitive data through encryption as well as ensuring staff are properly trained to follow a culture of security.