If So, Take Some Encryption and Call the Doctor in the Morning
Earlier this year, a business acquaintance received a data breach notification letter from Anthem, an insurer in the healthcare industry. The letter begins with the standard assurances that Anthem “works hard to protect your personal information.” But the mood quickly changes in the next sentence as Anthem advised: “Unfortunately, we were the victim of a cyber attack and your personal information may have been accessed.”
The same person had the misfortune of thereafter receiving a similar type of letter from another company in the healthcare industry, UCLA Health. The letter from UCLA Health conveyed the same type of canned message: assurances about “working hard” to protect personal information; followed by a claim of being a “victim” of hackers; and then the “unfortunate” result that personal information may have been compromised.
This person was concerned, and she asked me a lot of questions. How could so many healthcare companies become “victims” of hackers? Don’t these “victim” companies have data security protections in place to prevent this sort of thing? Have they ever heard of encryption? She asked me for answers, so I did some research into the state of data security in the healthcare field, and I want to share some of it with readers of bTrade’s MFT Nation.
Health Insurers Aren’t Required to Encrypt Data???
One of the first items I came across is this article from Wall Street Journal online entitled “Health Insurer Anthem Didn’t Encrypt Data in Theft.” The article discusses data breaches involving Anthem and another health insurer, Humana, and suggests that the hackers were successful because the companies weren’t encrypting data. According to the authors, health insurers aren’t required by law to encrypt data:
Health insurers don’t always encrypt members’ data, and aren’t required by the federal Health Insurance Portability and Accountability Act to encrypt data.
Under HIPAA, doctors, hospitals, health plans and others must “address” encryption in their operations, but don’t have to scramble data if they determine doing so would impose an unreasonable burden, the likelihood of disclosure is low and they have implemented alternative security measures.
The authors are technically correct, but in practice, health insurers should consider encryption to be a required part of their data security practices.
The Healthcare Industry is Subject to Strict Data Security Laws
If you want to know the data security standards for the healthcare industry, you need to understand the Health Insurance Portability and Accountability Act, or “HIPAA” for short. HIPAA is a comprehensive federal law, and when I say “comprehensive,” I mean it’s got a lot of data security standards that, if followed, will help protect the confidentiality of personal information when it is stored, maintained or transmitted by healthcare entities such as Anthem and UCLA Health.
As the authors of the WSJ article stated, HIPAA does not explicitly require encryption. In fact, it doesn’t explicitly require the implementation any specific security technology. However, this doesn’t mean what people sometimes think it means, and this misunderstanding can cause healthcare folks some real heartburn.
Encryption is Reasonable and Appropriate, Right?
In a section of HIPAA captioned “Technical Safeguards,” there is an “Implementation Specification” dealing with encryption. But the Implementation Specification for encryption is categorized as “addressable” rather than “required.” Why are some things “addressable” rather than required? Because there is not always a “one-size-fits-all” solution for data security issues. For example, a healthcare entity with only a local network and no electronic connectivity to any person or entity outside of the organization may not need to encrypt. Also, encryption is just one method of rendering electronic data unreadable to unauthorized persons.
It should be noted, though, that “addressable” does not mean “optional.” A healthcare entity must still determine whether an addressable Implementation Specification is a “reasonable and appropriate” data security measure to apply within its particular environment. The key phrase here is “reasonable and appropriate.” In other words, encryption is required if it’s reasonable and appropriate to do so.
Whether a particular security measure is “reasonable and appropriate” depends on a balancing of factors such as an entity’s size, complexity, capabilities, infrastructure, hardware and software, as well as the costs of the security measures and probability and criticalness of potential risks. Basically, a company doesn’t “have to” encrypt, but if it chooses not to, it better be prepared to demonstrate clearly in the event of an audit by HHS’s Office for Civil Rights that its analysis is accurate.
In summary, health insurers are required to encrypt personal information whenever it is “reasonable and appropriate” to do so. In what situations would it be considered reasonable and appropriate to not use encryption? Except for the local network example mentioned above, I can conceive of very few, if any. Even if you think that such a situation exists in your organization, you better be prepared to convince HHS’s Office of Civil Rights that you are right, and remember that this office generally considers encryption to be both necessary and appropriate. For these reasons, I believe that encryption is required by most, if not all health insurers.
Let us know us know whether you agree or disagree by posting a comment below, or by sending a confidential email to firstname.lastname@example.org.