Following the announcement of the Anthem security breach, data security is at the forefront of everybody’s minds. Although Anthem was breached through poor access controls rather than a lack of encryption, it has been questioned whether the federal Health Insurance Portability and Accountability Act (HIPAA) should make encryption mandatory.
HIPAA was enacted in 1996, and later coupled with the Health Information Technology for Economic and Clinical Health Act (HITECH) as part of the 2009 American Reinvestment and Recovery Act, to transform how health information is handled. HIPAA is designed to provide privacy standards to protect patient’s medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. The HITECH was created in 2009 to stimulate adoption of electronic health records (EHR) and support technology in the United States. These two acts are unrelated, but support each other to protect health information.
To effectively protect data, Personal Identifiable Information (PII) and Personal Health Information (PHI) should be protected so they are never linked. One way to do this is to ensure fields that may link the data are encrypted or tokenized, although this is not obligatory under HIPAA or HITECH.
However, HIPAA does “strongly encourage” encryption, and companies who choose not to implement it must detail their reasons why, although this is quite a vague requirement. Following the Anthem breach, federal officials plan to review whether HIPAA should require encryption,
Is Encryption the Answer?
Experts have previously stated that there is over-emphasis on HIPAA compliance rather than actual security. Companies own employees may even expose the company to security threats without even meaning to. There needs to be a balance between protecting data from hackers and maintaining proper internal security. So using encryption alone may not protect your data sufficiently if access controls are compromised: There needs to be a balance between both.
For encryption, it is vital to remove the link between PHI and PII information. According to Gerry Grealish, Chief Marketing Officer at Perspecsys, to do this 20 fields should be replaced with encrypted values. This ensures there is no link between the data, but also ensures the core software is unaffected.
One of the commonly voiced concerns is that the layer of encryption will affect the performance of the software. This is a legitimate concern, so to alleviate the effect on performance it is recommended that you only encrypt the necessary fields. If all fields are encrypted it will have a significant effect on the performance of the software.
Unfortunately in the case of Anthem, even if the data was encrypted the hackers could have accessed the data as they had access to five sets of employee credentials. This gave the hackers access to information behind the firewall, which would not be encrypted. We have previously blogged on improving internal security controls for cloud technology.
Maintaining a balance between these two elements can provide your business with the highest level of security.