Encrypting medical records is vital for patient security

Lax attention to information security makes healthcare firms easy targets

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

2Ed note_Carl WrightHealth care is a massive market with annual expenditures that consume approximately 17.7 percent of U.S. gross domestic product.

The ecosystem that provides health care includes more than 900,000 physicians and 2.7 million registered nurses, and the information technology infrastructure to support them.

All this presents a major target for cyber attackers. Recent examples include the breach of Community Health Services. The attackers acquired the names, addresses, birth dates, phone numbers and Social Security numbers of 4.5 million patients. Other recent targets include Anthem and Premera.

Despite the increased attention from cyber criminals, most doctor’s offices, clinics and hospitals have small information technology teams. Many health care companies don’t staff a security operations center to combat cyber attacks. As a result, more data breaches and identity theft crimes are likely.

Carl Wright, TrapX Security executive vice president and general manager
Carl Wright, TrapX Security executive vice president and general manager

The Department of Health and Human Services has stepped up to specify the necessary technology for the protection of patient data. HIPAA (Health Insurance Portability and Accountability Act) rules provide federal protection for individually identifiable health information held by covered entities and their business associates. The rules also define administrative, physical, and technical safeguards to assure such areas as the confidentiality of electronic health information.

Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends

Unfortunately, these safeguards are no longer enough. Health & Human Services must acknowledge that new technologies reduce the effectiveness of current cyber defenses.

Despite increasing attacks, encryption is still not mandatory under HIPAA. The Security Rule indicates that encryption, ultimately, is at the discretion of the entity, determined by its assessment of risk. This allows many to make well-intended, but faulty decisions that put confidential patient data at risk.

Further, medical devices often store unencrypted patient data and can be vulnerable to attackers. Any decision to allow unencrypted patient data to be stored in electronic systems seems shortsighted.

Medical devices are visible points of vulnerability in the health care sector and the hardest area to remediate even when attacker compromise is identified. Persistent cyber attacks threaten hospital operations and the security of patient data. The mandatory use of encryption is necessary to reduce risk and protect patient information.

More on medical records security:
Cloud use increases data security risk for health care organizations
Health care sector not doing enough to protect patient data
Will China use Anthem hack to jump start domestic health care?
Healthcare, banking companies issue easily spoofed emails