There has been enough and more said about the importance of encryption in safeguarding protected health information (PHI). But data breaches resulting due to lack of encryption continue to fill up the ‘wall of shame’, with the latest addition being a breach reported by Horizon Blue Cross Blue Shield. This incident involved the theft of two unencrypted laptop computers that were cable-locked to employee workstations at the headquarters of the insurer. This breach is said to have potentially affected nearly 840,000 individuals.
The Department of Health and Human Services confirmed that this major breach incident is the second largest health data breach reported so far in 2013. A noteworthy fact is that the three largest breach incidents in 2013 have involved thefts of unencrypted computers. This clearly reveals that lack of encryption remains one of the top reasons for data breaches.
A review led by forensic experts at Horizon Blue Cross Blue Shield confirmed that the stolen laptops may have contained files with varying levels of patient information, including names, addresses, identification numbers, dates-of-birth, some amount of clinical information, and in some cases, social security numbers too. However, it was not clear whether all of the information stored in these laptops is accessible. The company is notifying over 839,700 members about the breach, and those whose social security numbers may have been compromised will be offered free credit monitoring and identity theft protection for one year. The company is working with law enforcement to locate the stolen laptops, and is also strengthening encryption processes. Enhancing policies and procedures and educating staff about security of member information is also one of its immediate goals.
This incident is a clear warning bell that irrespective of the physical security measures, encrypting PHI stored on mobile/desktop computing devices is a crucial task. While physical safeguards are important too, unless data is encrypted, there will always be significant risks posed by insider threats, and others who have access to locked facilities.
According to Adam Greene, a privacy attorney, there is no substitute for encryption or the use of a data loss protection technology that can ensure that data is kept centrally and does not end-up on the end-user device. Moreover, those entities that fail to encrypt PHI will find it hard to defend themselves during breach investigations and other such regulatory actions. And with the cost of encryption reducing significantly, the government has great expectations from entities for employing this method to secure PHI. So, physical safeguards will no longer suffice.
And not to forget, the penalty for non-compliance under the HIPAA Omnibus rule may go up to $1.5 million per violation. So entities are better-off paying for encryption and preventing a breach, rather than being subject to such high penalties. Solutions like Aegify Security Posture Management or Aegify SecureGRC could prove extremely useful in preventing data breaches from taking place. They address the need for encryption while also providing comprehensive security for PHI, making them ideal for healthcare providers, their business associates and subcontractors to ensure PHI is safeguarded throughout its lifecycle.