Following the Anthem data breach affecting 80 million patients, a US Senate committee says it will assess healthcare security regulations presently in place. HIPAA encourages encryption, but it remains a voluntary measure… Is it time for change in legislation surrounding encryption in the healthcare industry?

Healthcare companies face substantial fines for the loss of unencrypted laptops and mobile devices. Companies that are subject to cyber hacks land a spot on the federal government “Hall of Shame”—a database of companies that have compromised customer information and have been hit with fines sometimes exceeding $1 million.  It is estimated that only 59% of healthcare firms currently utilize encryption for safeguarding patient data. The remainder of companies leave the door wide open for attacks—attacks that have been all too common in recent months.

The benefits of encrypting far outweigh the direct costs and potential for fines and penalties for lost or stolen data. According to some sources, it may cost as little as $150 to encrypt devices containing sensitive information. Encryption is simple to implement and every type of device can be protected using encryption methods. Mobile devices, like laptops and tablets, are particularly vulnerable. Encryption makes it extremely difficult to access data and dramatically lowers the risk of a breach.    These devices are vulnerable anytime.  This includes the often overlooked time between decommission or replacement for the end user and when you are ready to have your ITAD vendor collect them.  Encryption provides a more secure and less complex ITAD “end of life” process for you.

Anthem made the claim that encryption would not have prevented their particular attack because a credential of an authorized user was stolen. Although recent findings have determined that this may be the case, the event shines light on the subject of taking the extra step to encrypt.

Many IT security experts are confounded by the current lack of encryption practices in healthcare. There is a shared belief that with current technology and threats, laptop hard drives should always be encrypted. Company reputation and customer confidence are protected when you protect your customers’ data.

The HITECH Act, a 2009 federal law that initially guided the implementation of electronic medical records, requires healthcare firms to report data security breaches that affect 500 or more patients. The Act also provides exemptions for companies that do encrypt.

Lifespan encourages all our customers, and particularly those subject to HIPAA/HITECH compliance to take the measures to encrypt.  This will reduce your risks, and save you money and loss of customers. Encryption protects data that remains in laptops and mobile devices while they are transported to the final disposition stage in asset retirement. It does not destroy the data – you still need to ensure proper data destruction when you finally dispose of the assets. Please see our Ten Myths About IT Asset Disposition and Data Erasure resource for more information.