For the highly regulated healthcare industry, encryption of protected data and hardware is at once a cornerstone of its compliance obligations and a measure that many individual providers have, unbelievably, not taken yet. A recent string of data breaches, topped off by the record-setting theft of records from Illinois-based provider Advocate Medical Group, has demonstrated the relative ease with which criminals can make off with sensitive patient information. Oftentimes, they do not even have to execute an advanced cyberattack. Since providers are sometimes less diligent than they should be when handling storage media, something as simple as a stolen hard drive can result in attackers gaining access to scores of unencrypted records.
Although its efficacy has come under scrutiny in light of recent code breaking initiatives from the National Security Agency, encryption remains a mathematically sound and technically robust way for the healthcare industry to protect its assets from malicious actors. The stakes could not be higher. Unlike organizations at which financial loss is the primary risk of a breach, medical organizations are also legally bound by the Health Information Portability and Accountability Act, which mandates safe handling of patient information and proper maintenance of electronic health records. HIPAA violations damage the healthcare industry’s promises of privacy and result in costly settlements.
More importantly, however, any loss of protected health information raises the prospect of medical identity theft. By stealing a patient’s identity, a criminal can unjustly obtain insurance to pay for treatment. Accordingly, the cybersecurity community’s obligation with respect to healthcare security is a great one. That is, it must ensure that tools like encryption empower providers in their quest to protect patient records and provide appropriate care.
One of the largest HIPAA incidents ever
In July 2013, thieves broke into the Illinois offices of Advocate Medical Group and took four unencrypted laptops. According to Modern Healthcare writer Joseph Conn, the pilfered computers contained a total of 4 million patient records, making it one of the two largest breaches recorded by the U.S. Office of Civil Rights. Since 2009, that office, part of the Department of Health and Human Services, has been required under the American Recovery and Reinvestment Act to publicly post all breaches of HIPAA.
Why were the computers left unencrypted? Advocate began an encryption initiative as far back as November 2009, in response to a similar theft that resulted in the loss of 812 patients’ records. However, despite already being cited for the breach by HHS, Advocate moved so slowly that even three and a half years later, it had not encrypted every computer at the Park Ridge, Ill. office that became the site of the second incident.
According to SmartDataCollective’s Thu Pham, the stolen hard drives included clinical data like diagnoses, registrations, appointment times, and insurance information. Some files may also have contained personally identifiable items like Social Security numbers, names and addresses, which can facilitate medical identity theft.
“You can imagine the extent of the forensic analysis to uncover what was on those hard drives,” said Advocate senior vice president and chief marketing officer Kelly Jo Golson. “To the best of our knowledge, this data goes back to the early 1990s.”
What may be holding encryption back
HIPAA does not explicitly require that medical records be encrypted, instead labeling encryption as merely an “addressable standard,” according to HealthITSecurity. While IT departments may hold encryption in high regard and strive to implement it on all devices, the sobering reality is that healthcare institutions often have highly fragmented endpoint fleets, which combined with poorly monitored networks makes it difficult to know where to begin applying encryption.
“Typical shops have myriad devices being used, not just PCs and laptops but Macs, iPads, Windows-based tablets and external hard drives and thumb drives,” stated Nova Southeastern University CISO John Christy, according to HealthITSecurity. “Tack onto that tracking down where data moves, such as FTP servers transferring data in and out of an organization, email, interfaces with other programs and the cloud. And there’s also the transfer of data to other external business partners as part of interfacing healthcare information exchanges.”
Implementation, rather than technological shortcoming, is the primary obstacle to encrypting healthcare records and devices. Fortunately, there is a sensible path forward, starting (perhaps counterintuitively) with virtualized and cloud-based solutions.
Pham explained that after identifying privileged records, providers can set up disk encryption on a storage area network, ensuring that data is encrypted as soon as it is written to storage. However, they must procure a private enterprise cloud that pairs scalability with security. Having dedicated resources for archiving and computing means that healthcare organizations will have fewer issues with outages or cloud security lapses that could land them in hot water with patients and HHS auditors.
At a lower level, even small providers can adequately protect records with inexpensive encryption tools, granted that they have nuanced knowledge of their networks and operations. Learning more about how users behave on networks, as well as when and where threats are emerging, remains an area of improvement for all IT departments. According to a study cited by Dark Reading’s Ericka Chickowski, more than half of enterprise IT managers struggle with detecting zero-day threats, while 13 percent admitted that they did not even know if they had suffered a data breach over the past year.
Preventing medical identity theft: Another impetus for universal encryption
Encrypting data at rest and in transit is an effective way for healthcare providers to ensure compliance with HIPAA. But it may have even greater stakes for patients, who may become victims of identity theft following a breach of unencrypted records.
A recent Ponemon Institute survey found that medical identity theft has affected nearly 2 million individuals in the U.S. alone in 2013, up 20 percent year-over-year.
“Medical identity theft is tainting the healthcare ecosystem, much like poisoning the town’s water supply. Everyone will be affected,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “[C]onsumers are completely unaware of the seriousness and dangers of medical identity theft.”
Ultimately, encryption should be not merely encouraged, but required for the healthcare sector. While its prevalence will ensure that fewer organizations run afoul of HIPAA, more importantly it will improve patient safety and foster better trust between patients and care providers.