Medical and healthcare companies possess a dangerous amount of data on their customers, from social security numbers to entire medical histories. While laws have been put in place to ensure that consumer data is protected, recent data breaches at Anthem and Community Health Systems demonstrate that the laws have weaknesses. Specifically, experts have noted that the law that protects consumer health data does not mandate encryption on systems with health data.
HIPAA and Encryption
Recognizing the vast amount of sensitive information collected and stored by healthcare providers, the federal government created the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Under HIPAA, personal health information on consumers is protected under law. Organizations that collect health data on consumers must meet regulatory requirements in keeping that data secure at all times.
However, as recent data breaches pointed out, encryption is not part of that requirement. While encryption of data is a great way to accomplish that, the security rule states that if an organization documents that encryption isn’t reasonable and appropriate, that organization can choose not to use encryption. In other words, with the right justification, encryption can be avoided.
In the wake of the Anthem data breach, the company came under fire for not having its patient data encrypted. However, as many experts have pointed out, encryption would have been worthless if the breach happened through accessing user account information. With a user name and password, an intruder can simply log in to a system just as its employees would.
This highlights the fatal flaw with encryption, which has become the centerpiece of many businesses’ security plans. Encryption provides protection against data that is infiltrated through the server or while in transit, but when hackers gain access through user credentials or keylogger viruses, the technology falls short.
Should businesses encrypt their systems? Certainly. But encryption is no replacement for sound password policies and protections against data compromisation. It’s important that businesses take a well-rounded look at the risks they face and address all of them, rather than focusing on one set protection method.