- Despite its proposed importance to health data security, research shows that data encryption is not as widespread as one might hope.
In a white paper published by Sophos, researchers show that data encryption is not a widespread security tactic across several different industries. In fact, only 44 percent of respondents reported making “extensive use” of data encryption technologies, and only 43 percent report encrypting to some extent.
Of the data security professionals surveyed, those from the United States reported the most data encryption, with a 54 percent rate of data encryption.
Of those encrypting their data, 61 percent report their top reason for doing so was protecting important and sensitive company data. Other reported reasons are protecting personal employee information, legal requirements, general security policies, an awareness of increasing data security breaches, avoiding negative PR in the event of a security breach, and avoiding the costs of a security breach.
If those are the reasons why some companies do encrypt their data, what are the factors that keep others from doing the same?
The survey shows that there are three main barriers keeping companies from encrypting their data.
Thirty-seven percent of respondents state that lack of budget is a barrier, 31 percent have concerns that data encryption will hinder the performance of their devices and drives, and 28 percent have a lack of encryption knowledge.
Nearly one-fifth of respondents claim there is a lack of legal pressure to encrypt data, or that they don’t think encryption is an efficient way to protect sensitive data.
Those organizations that do not encrypt their data – and even some that do – are seeing some gaps in data protection. Nearly one-quarter of customer information and customer financial information falls through the encryption cracks, leaving it liable to a data breach.
This is especially alarming when put into the context of the healthcare industry. Because patients are the customers in the healthcare industry, it is important that all of their PHI be fully protected via encryption to keep that valuable information from falling into malicious hands.
Also concerning for the healthcare industry is the lack of data encryption for mobile devices. Although PCs and servers are typically encrypted, with 66 and 70 percent encryption rates for each respectively, mobile devices are not. According to Sophos, only 29 percent of tablets and smartphones are encrypted, and only 22 percent of wearable devices are encrypted.
Considering the recent surge in mobile device use, these numbers are alarming. In fact, this lack of device security is what is driving down the number of users who would participate in a BYOD program.
According to a Spok survey, 81 percent of healthcare professionals who do not have a BYOD program in place state that it is because of health data security concerns.
In general, this survey highlights a need for an industry movement toward health data encryption. Although HIPAA states that data encryption is an “addressable” concern rather than a requirement, it is clear that more healthcare organizations need to address encryption as a legitimate technical safeguard. A look at recent healthcare data breaches provides other evidence for the need for health data encryption.
In the middle of last year, the North Carolina Department of Health and Human Services (DHHS) experienced two healthcare data breaches as a result of unencrypted data in motion. Unencrypted data in motion is data that is in the process of being sent from one device to another without being encrypted.
In the case of DHHS, emails containing patient health information were sent without proper encryption. Although DHHS reported no reason to believe these emails were intercepted while in motion, this was cause for a healthcare data breach nonetheless. Had the emails been intercepted, over 2,000 patients’ information would have been breached, leaving those patients potentially liable to identity theft.
Additionally, health data encryption is important in protecting devices that may have been lost or stolen.
Throughout 2015, several unencrypted devices were lost or stolen. Akron Children’s Hospital, for example, learned the hard way about the importance of encrypting devices. After a device was reported missing or stolen, the hospital had to handle the potential healthcare data breach concerning the health information for nearly 7,000 children.
Image credit: Sophos