Data encryption for stored healthcare data is essential, as storing PHI on portable devices without using data encryption carries a high risk that the data will be exposed. The devices are highly attractive to thieves in their own right, although the data they contain is much more valuable.
Healthcare data can be used to commit medical billing fraud, identity fraud and obtain prescriptions and medical services. Laptop computers and portable storage devices are also easy for thieves to steal and conceal and while the devices cost a few hundred dollars to buy, but the data they contain can be worth many millions of dollars to thieves.
If data encryption for stored healthcare data is not chosen, any theft of a device containing PHI is likely to be considered a HIPAA violation, and if data is exposed, a HIPAA fine for unencrypted data is sure to be issued by the Office for Civil Rights.
As many healthcare providers discover, it is much easier to justify not using data encryption for stored healthcare data before a security breach than it is to explain why it was not necessary after thieves have run off with a laptop containing hundreds of thousands of unencrypted patient health records.
Community Health Center is the latest organization to have potentially violated HIPAA regulations for failing to encrypt data. A former doctor is claiming to have been sent a hard drive containing 170,000 unencrypted patient records with his effects after his employment was terminated.
The former director of the facility has alleged that he highlighted a number of security vulnerabilities at the medical center – and a potential breach of credit card numbers -and lost his job as a result of mentioning these frailties to the management.
In March this year, thieves broke into Sutherland Healthcare and stole 8 computers containing the unencrypted data of over 342,000 patients, and last year Advocate Medical Group had the healthcare data of over 4 million patients exposed following the theft of four laptops containing unencrypted healthcare data.
To avoid a HIPAA penalty, desktop computers and portable devices must have multi-layered security systems to prevent unauthorized access, and if data encryption is not used, there must be some other method of rendering the data unusable if the device is stolen.
It is now highly probable that healthcare providers will be attacked at some point in time for the data they hold, and the loss or theft of a medical device is almost a certainty. It is therefore in the best interests of healthcare organizations to implement data encryption on all mobile devices to avoid a HIPAA penalty.
If data encryption for stored healthcare data is not employed, when systems are compromised or portable devices are lost or stolen, it will be a breach of HIPAA regulations and is likely to see the Office for Civil Rights issue a fine for failing to implement the appropriate safeguards to protect healthcare data.