Encryption Shortfalls Plague Healthcare Industry

Health Data Security: Tips And Tools

Healthcare providers should start paying more attention to encryption of personal health information (PHI), says a new report from the Health Information Management and Systems Society (HIMSS). This is not only because of the proliferation of smartphones and other mobile devices, but also because of a provision in the Meaningful Use Stage 2 rule that mentions encryption.

As in MU Stage 1, providers must conduct a security risk analysis. But now they must also "address" the encryption of data stored in their certified EHRs. That doesn't mean they have to encrypt the information on all end-user devices, but they must "implement security updates as necessary and correct identified security deficiencies," the Meaningful Use rule says. So if they don't use encryption, they must document their reasons and explain what alternative security methods they're using, according to the HIMSS paper.

Lisa Gallagher, senior director, privacy and security, for HIMSS, told InformationWeek Healthcare that the Meaningful Use Stage 2 rule's stance on this issue is similar to the requirement in the HIPAA Security Rule of 2003. "By and large, that [HIPAA] requirement has been ignored," she said, perhaps because some providers thought encryption was too difficult. But with the rise of mobile devices and the storage of PHI on many of these devices, she pointed out, it is no longer possible to ignore this regulation.

[ Practice management software keeps the medical office running smoothly. For a closer look at KLAS' top-ranked systems, see 10 Top Medical Practice Management Software Systems. ]

"HHS [the Department of Health and Human Services] noticed that 35%-40% of the breaches being reported were a direct result of a lost or stolen portable or mobile device," Gallagher noted. "In HHS' view, because the data is not encrypted, that's a breach. If the data had been encrypted, that would mean that it wasn't a breach. So the action of encrypting data on a portable or mobile device is a 'safe harbor' from having to report lost data on a device to HHS."

If that isn't enough to spur hospitals and physician practices into action, she added, they must also attest that they have done a security review and have addressed encryption if they want to show Meaningful Use to obtain EHR incentives. "So HHS is using a policy lever to increase the use of encryption."

The HIMSS report notes that the average cost of a lost or stolen record to a healthcare organization is over $200. "So for a breach of 200 records, the impact to the organization of a single lost or stolen laptop is likely to be over $40,000." And that doesn't include legal and regulatory impacts, including potential fines.

Given the severity of the consequences, why don't more healthcare organizations encrypt all their data? "Anecdotally, it's the cost of encryption technology and also a lack of ability to implement it," Gallagher explained. "Many smaller physician offices and community hospitals don't have anyone on staff who knows how to load the software and encrypt data on the network and on portable devices. And until recently, there was no push for it. It was easy to say, 'it's too expensive or too hard.'"

The encryption that comes with Microsoft Windows operating systems is inadequate, partly because smartphones have three different operating platforms, Gallagher pointed out. Moreover, she said, "Two of the three [mobile phone] design centers don't make it especially easy for you."

The best solution would be to avoid having any PHI on end-user devices, she said. But the technical fixes that have been tried so far are far from perfect; for example, many clinicians have problems with virtualized desktop applications that are not well adapted to mobile devices. But Gallagher expressed confidence that vendors will find better solutions if providers demand it.

Meanwhile, encryption is better than the alternatives that are listed in the HIMSS report, such as physical controls, administrative controls, having staff members sign legal agreements, or educating them on the need to protect PHI. But electronic records are not the only data that needs to be safeguarded. Today, copiers, printers, fax machines, digital cameras, and medical devices all store data, too, and represent opportunities for security breaches, the report observes.

Gallagher acknowledges that there's a growing awareness of these chinks in the security armor and attempts to address them, although she notes that "we don't see a whole lot of breaches there." Medical devices, which are increasingly interconnected with EHRs, are an especially complex area. One reason is that medical devices are regulated by the Food and Drug Administration (FDA), which is looking at the security issue from its own angle.

Clinical, patient engagement, and consumer apps promise to re-energize healthcare. Also in the new, all-digital Mobile Power issue of InformationWeek Healthcare: Comparative effectiveness research taps the IT toolbox to compare treatments to determine which ones are most effective. (Free registration required.)