Encrypting medical records is vital for patient security

Lax attention to information security makes healthcare firms easy targets

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

2Ed note_Carl WrightHealth care is a mas­sive mar­ket with annu­al expen­di­tures that con­sume approx­i­mate­ly 17.7 per­cent of U.S. gross domes­tic prod­uct.

The ecosys­tem that pro­vides health care includes more than 900,000 physi­cians and 2.7 mil­lion reg­is­tered nurs­es, and the infor­ma­tion tech­nol­o­gy infra­struc­ture to sup­port them.

All this presents a major tar­get for cyber attack­ers. Recent exam­ples include the breach of Com­mu­ni­ty Health Ser­vices. The attack­ers acquired the names, address­es, birth dates, phone num­bers and Social Secu­ri­ty num­bers of 4.5 mil­lion patients. Oth­er recent tar­gets include Anthem and Premera.

Despite the increased atten­tion from cyber crim­i­nals, most doctor’s offices, clin­ics and hos­pi­tals have small infor­ma­tion tech­nol­o­gy teams. Many health care com­pa­nies don’t staff a secu­ri­ty oper­a­tions cen­ter to com­bat cyber attacks. As a result, more data breach­es and iden­ti­ty theft crimes are likely.

Carl Wright, TrapX Security executive vice president and general manager
Carl Wright, TrapX Secu­ri­ty exec­u­tive vice pres­i­dent and gen­er­al manager

The Depart­ment of Health and Human Ser­vices has stepped up to spec­i­fy the nec­es­sary tech­nol­o­gy for the pro­tec­tion of patient data. HIPAA (Health Insur­ance Porta­bil­i­ty and Account­abil­i­ty Act) rules pro­vide fed­er­al pro­tec­tion for indi­vid­u­al­ly iden­ti­fi­able health infor­ma­tion held by cov­ered enti­ties and their busi­ness asso­ciates. The rules also define admin­is­tra­tive, phys­i­cal, and tech­ni­cal safe­guards to assure such areas as the con­fi­den­tial­i­ty of elec­tron­ic health information.

Secu­ri­ty & Pri­va­cy Week­ly News Roundup: Stay informed of key pat­terns and trends

Unfor­tu­nate­ly, these safe­guards are no longer enough. Health & Human Ser­vices must acknowl­edge that new tech­nolo­gies reduce the effec­tive­ness of cur­rent cyber defenses.

Despite increas­ing attacks, encryp­tion is still not manda­to­ry under HIPAA. The Secu­ri­ty Rule indi­cates that encryp­tion, ulti­mate­ly, is at the dis­cre­tion of the enti­ty, deter­mined by its assess­ment of risk. This allows many to make well-intend­ed, but faulty deci­sions that put con­fi­den­tial patient data at risk.

Fur­ther, med­ical devices often store unen­crypt­ed patient data and can be vul­ner­a­ble to attack­ers. Any deci­sion to allow unen­crypt­ed patient data to be stored in elec­tron­ic sys­tems seems shortsighted.

Med­ical devices are vis­i­ble points of vul­ner­a­bil­i­ty in the health care sec­tor and the hard­est area to reme­di­ate even when attack­er com­pro­mise is iden­ti­fied. Per­sis­tent cyber attacks threat­en hos­pi­tal oper­a­tions and the secu­ri­ty of patient data. The manda­to­ry use of encryp­tion is nec­es­sary to reduce risk and pro­tect patient information.

More on med­ical records security:
Cloud use increas­es data secu­ri­ty risk for health care organizations
Health care sec­tor not doing enough to pro­tect patient data
Will Chi­na use Anthem hack to jump start domes­tic health care?
Health­care, bank­ing com­pa­nies issue eas­i­ly spoofed emails