Save $ 1,699,900 with Encryption
By Mike Semel
Blog: 4Medapproved.com/HITSecurity
Twitter: @SemelConsulting
A state health department lost an unencrypted hard drive and paid a $ 1.7 million penalty. The health department would have saved $ 1,699,900 if it had spent $ 100 to encrypt the drive. A doctor lost an unencrypted laptop while traveling, resulting in a $ 1.5 million penalty. $ 100 could have prevented the breach and the fine.
In July a health care provider lost four unencrypted desktop computers in a burglary and breached four million patient records, including Social Security numbers. They had to notify their patients; are paying for credit monitoring; are being investigated by state and federal authorities, and are facing a class-action lawsuit. The theft would not have been a reportable breach if the computers had been encrypted.
The Meaningful Use Stage 2 certification criteria for Electronic Health Record (EHR) systems require the encryption of EHR data stored on local devices. Under Stage 2, practices and hospitals in the Meaningful Use program will need a risk analysis that specifically addresses the encryption of data.
Encryption is more than protecting data with a password. It alters the data into an unreadable format that can only be opened with an encryption key. It is easy to install and does not degrade performance. The HIPAA data breach rule makes encryption a ‘Get-Out-of-Jail-Free” card because a lost encrypted device is not reportable, meaning there are no notification costs or penalties. This can save you millions of dollars. California has a similar exemption for encrypted data. Encryption is not expensive and is included on smartphones and many business-class laptops. Too bad people aren’t taking advantage of it.
The exemptions are not working, based on the number of patient records breached every year. The California Attorney General’s 2012 Data Breach Report says that the exemption of encrypted devices is not preventing enough data breaches and should be replaced with legislation requiring that all data protected by the state (not just healthcare information) must be encrypted.
After the recent NSA surveillance disclosures both Google and Yahoo! announced that they will be encrypting data traffic between their data centers. This is a strong message to healthcare providers, payers, and business associates to take a hard look at encrypting all devices that store patient data.
With states, Meaningful Use, and large corporations embracing encryption to protect data, and the costs of encryption coming down, it will be a lot harder for a medical practice or business associate to justify the loss of unencrypted patient data.
The best ways to protect your practice are to identify the location of all patient data, remove it from as many devices as possible, and have an IT professional encrypt all devices that must still store it. Encryption costs a lot less than a data breach.