Encryption Shortfalls Plague Healthcare Industry

  /     /     /  
Publicated : 22/11/2024   Category : security


Encryption Shortfalls Plague Healthcare Industry


Health Information Management and Systems Society report focuses on securing personal patient data, which providers must address in Meaningful Use Stage 2.



Health Data Security: Tips And Tools (click image for larger view and for slideshow)
Healthcare providers should start paying more attention to encryption of personal health information (PHI), says a
new report
from the Health Information Management and Systems Society (HIMSS). This is not only because of the proliferation of smartphones and other mobile devices, but also because of a provision in the Meaningful Use Stage 2 rule that mentions encryption.
As in MU Stage 1, providers must conduct a security risk analysis. But now they must also address the encryption of data stored in their certified EHRs. That doesnt mean they have to encrypt the information on all end-user devices, but they must implement security updates as necessary and correct identified security deficiencies, the Meaningful Use rule says. So if they dont use encryption, they must document their reasons and explain what alternative security methods theyre using, according to the HIMSS paper.
Lisa Gallagher, senior director, privacy and security, for HIMSS, told
InformationWeek Healthcare
that the Meaningful Use Stage 2 rules stance on this issue is similar to the requirement in the HIPAA Security Rule of 2003. By and large, that [HIPAA] requirement has been ignored, she said, perhaps because some providers thought encryption was too difficult. But with the rise of mobile devices and the storage of PHI on many of these devices, she pointed out, it is no longer possible to ignore this regulation.
[ Practice management software keeps the medical office running smoothly. For a closer look at KLAS top-ranked systems, see
10 Top Medical Practice Management Software Systems
. ]
HHS [the Department of Health and Human Services] noticed that
35%-40% of the breaches
being reported were a direct result of a lost or stolen portable or mobile device, Gallagher noted. In HHS view, because the data is not encrypted, thats a breach. If the data had been encrypted, that would mean that it wasnt a breach. So the action of encrypting data on a portable or mobile device is a safe harbor from having to report lost data on a device to HHS.
If that isnt enough to spur hospitals and physician practices into action, she added, they must also attest that they have done a security review and have addressed encryption if they want to show Meaningful Use to obtain EHR incentives. So HHS is using a policy lever to increase the use of encryption.
The HIMSS report notes that the average cost of a lost or stolen record to a healthcare organization is over $200. So for a breach of 200 records, the impact to the organization of a single lost or stolen laptop is likely to be over $40,000. And that doesnt include legal and regulatory impacts, including potential fines.
Given the severity of the consequences, why dont more healthcare organizations encrypt all their data? Anecdotally, its the cost of encryption technology and also a lack of ability to implement it, Gallagher explained. Many smaller physician offices and community hospitals dont have anyone on staff who knows how to load the software and encrypt data on the network and on portable devices. And until recently, there was no push for it. It was easy to say, its too expensive or too hard.
The encryption that comes with Microsoft Windows operating systems is inadequate, partly because smartphones have three different operating platforms, Gallagher pointed out. Moreover, she said, Two of the three [mobile phone] design centers dont make it especially easy for you.
The best solution would be to avoid having any PHI on end-user devices, she said. But the technical fixes that have been tried so far are far from perfect; for example, many clinicians have problems with virtualized desktop applications that are not well adapted to mobile devices. But Gallagher expressed confidence that vendors will find better solutions if providers demand it.
Meanwhile, encryption is better than the alternatives that are listed in the HIMSS report, such as physical controls, administrative controls, having staff members sign legal agreements, or educating them on the need to protect PHI. But electronic records are not the only data that needs to be safeguarded. Today, copiers, printers, fax machines, digital cameras, and medical devices all store data, too, and represent opportunities for security breaches, the report observes.
Gallagher acknowledges that theres a growing awareness of these chinks in the security armor and attempts to address them, although she notes that we dont see a whole lot of breaches there. Medical devices, which are increasingly interconnected with EHRs, are an especially complex area. One reason is that medical devices are regulated by the Food and Drug Administration (FDA),
which is looking at
the security issue from its own angle.
Clinical, patient engagement, and consumer apps promise to re-energize healthcare. Also in the new, all-digital
Mobile Power
issue of InformationWeek Healthcare: Comparative effectiveness research taps the IT toolbox to compare treatments to determine which ones are most effective. (Free registration required.)

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Encryption Shortfalls Plague Healthcare Industry