Healthcare and IT experts convened on Capitol Hill this week to warn Congress that as healthcare organizations are increasing the use of electronic medical records in light of federal mandates, they are not protecting these records within the database and elsewhere. Security professionals agree that in order for the public to trust these records, healthcare organizations need to start working on database security best practices -- the same first-order practices that any organization with minimal security should start with to shore up sensitive data stores.

"Simply stated, the effort to promote widespread adoption and use of health IT to improve individual and population health will fail if the public does not trust it," said Deven McGraw, director of the Health Privacy Project for the Center for Democracy, in testimony to the Senate Committee on the Judiciary Subcommittee on Privacy, Technology and the Law (PDF) this week.

According to McGraw, even with certain safe harbor incentives in place for organizations to be exempt from costly breach notifications if exposed data is encrypted, statistics show that healthcare organizations are still not encrypting their data.

"The new breach notification provisions of HITECH provide an incentive for health care providers to encrypt health information using standards approved by the National Institute of Standards and Technology (NIST)," he said. "But we know from the statistics on breaches that have occurred since the notification provisions went into effect in 2009 that the health care industry appears to be rarely encrypting data."

Todd Thiemann, senior director of product marketing at encryption vendor Vormetric, says his experiences corroborate what McGraw's seen.

"From what we've seen, you have a lot of data out there that government programs are tempting healthcare organizations to turn into electronic records from paper records, and a lot of institutions are still grappling with how to secure that stuff," he says. "The push for electronic medical records is this new wave crashing on the shore that they're dealing with."

As McGraw explained in his testimony, there has been no comprehensive study of why healthcare hasn't embraced encryption, but Thiemann has his hunches.

"There's some legacy perception that security measures like encryption might be performance-intensive on the technology side, but the reality has changed significantly over what the perception is in recent years," he say.

But according to Slavik Markovich, vice president and chief technology officer of database security for McAfee, the lack of encryption within the database and unstructured files isn't a perception problem about encryption per se -- but about security, in general.

"Security within healthcare lags a lot behind other industries," he says. "I'm not only talking about lack of encryption, but basically having no security tools whatsoever, not monitoring networks, not monitoring the databases, and so on. Plus many of their systems are very old and hard to change, and they're interconnected so everyone is afraid of touching them." In order to get over that hump, healthcare organizations need to start at the same place as any organization with little to no security: understanding where the sensitive data resides.

"Best practices start with understanding where that sensitive data is because it might not be that everything needs to be secured -- it might be that some subset of the data needs it," Thiemann says. "You need to know what needs security and who needs to use that data so you can put appropriate controls on that data, both securing it with encryption and monitoring who is accessing it so you have some control over what's going on."

Not only do you need to know where the data is, but you also need to know whether the databases storing it are configured properly, Markovich adds.

"What is your security posture? You have to know whether they're missing patches or configured correctly to prevent vulnerabilities from exposing data," he says.

While he agrees with Thiemann that both encryption and monitoring play an important role in establishing solid security within any database security program, he believes immature organizations, such as the healthcare organizations under scrutiny by policy makers at the moment, could do well to first start with monitoring and then think about encryption.

"Encryption is very important, but from my experience it is hard to do right. I would say that monitoring is easier to implement and may be where you should start," he says. Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.