- Electronic health data has been the cause of considerable discussion throughout the healthcare industry. As more health information is stored on electronic platforms, that information is increasingly exposed to the potential threat of a healthcare data breach.
Although there are several precautions healthcare organizations should be employing such as specified data sharing protocol, vigilant employees, and physical barriers between potential thieves and data, there is always more an organization can do to protect itself.
For example, several healthcare organizations are encrypting their electronic PHI (ePHI) to protect it from hackers or those who steal their laptops, tablets, or other devices.
But to what extent can encrypting data on these devices work? How effective can they truly be in preventing a healthcare data breach? Below are a few stories where proper encryption could have potentially saved healthcare organizations from mitigating a healthcare data breach.
What is data encryption?
First it is important to establish what data encryption is and the federally-mandated protocol behind the safeguard.
Generally speaking, data encryption utilizes an algorithm that will code the information. Only given the proper encryption key will someone be able to decode the information.
Encryption is a part of the HIPAA Privacy Rule’s guidelines for rendering information unreadable or unusable.
“Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key,’” the Department of Health and Human Services explains.
Although such efforts qualify as meeting HIPAA’s guidelines for rendering information unreadable, it is important to note that encryption is viewed as an “addressable” protocol rather than as a requirement.
This is because each organization has very different needs. In order to best concentrate efforts on the appropriate area, HIPAA allows organizations to choose how they implement data encryption.
Unencrypted data in motion
There are two kinds of data that are relevant to encrypting information. First is data in motion. This is data that is being sent from one individual or device to another, either by secure direct message or email.
When transferring information across either of those venues, it is important to use special data encryption methods. If an organization does not properly encrypt data in motion, the message may be intercepted in cyberspace and a thief may use the information stored in the message.
The North Carolina Department of Health and Human Services (DHHS) has been handling such incidents in recent months.
In August and September of this year, DHHS discovered that emails containing health information had been sent with improper encryption. Although during both incidents the agency had no reason to believe that the emails had been intercepted or any of the health information breached, these incidents still highlighted the critical need to properly encrypt data in motion.
Had the emails been intercepted, over 2 thousand patients’ health information may have been breached, leaving those patients vulnerable to identity thefts or other adverse situations.
Lost and stolen unencrypted devices
It is also important for organizations to encrypt data at rest, or data that is simply being stored on an electronic device and not being sent elsewhere. This prevents those who may steal electronic devices from being able to access the information stored on such devices.
Often, these kinds of devices contain massive amounts of health information. Physicians may store patient spreadsheets, medical files, or other information for all of their patients. Some of the stored information may even date back to many years ago. If devices that store such information are stolen, it is important that thieves are unable to access this overload of valuable patient information.
Akron Children’s Hospital had to learn the hard way the importance of encrypting data at rest. Earlier this year the hospital experienced a health data breach after it discovered that a device containing patient transport information from between September 2014 to June 2015 had been misplaced or stolen. This incident potentially affected over 7,000 children.
In the aftermath of the data breach, the hospital stated that it was going to implement new safeguards to ensure that health information stored on electronic devices is not accessible in the unfortunate event that an incident like this occur again. Going forward, the hospital will reportedly encrypt all of its electronic devices which store health information.
Data encryption and BYOD strategies
In light of bring your own device (BYOD) policies, it is becoming increasingly important for organizations to implement adequate data encryption efforts.
BYOD policies host both data in motion and data at rest. This is because providers are able to store some patient information on their personal devices which they use throughout the facility, and they are able to securely message one another using these devices.
Therefore, hospitals with BYOD policies should require proper encryption efforts for both data in motion and data at rest.
This is easier said than done. When working with hospital-owned mobile devices, providers must use data security software because the device is not their property. However, when allowed to use their own property, it is more difficult to regulate the security on the devices.
By creating a prescriptive BYOD policy guideline, however, providers will be given specific instructions on how to maintain security on their devices. Explaining the rationale behind such guidelines as well as potential consequences for not following the guidelines will reinforce the importance of adopting proper encryption measures.
Because the health IT industry is multifaceted, there is no one overarching resolution to data security issues. Data encryption is only one piece of the data security puzzle. However, by thoroughly employing data encryption, providers can add one additional layer of security that can potentially make a world of difference in the face of health data security threats.