Why Isn't Encryption More Common?Attorney Contends Many Organizations Lack Risk Analysis
One important reason why encryption is not more broadly used in healthcare is that many organizations lack an updated risk assessment, says attorney Amy Leopard.
An updated risk assessment could identify the role encryption technology can play in improving security, she contends.
The HITECH Act's electronic health record incentive program could prove to be a powerful encryption catalyst, the regulatory compliance expert says. That's because those applying for incentive payments must conduct an updated risk assessment and take action to remediate any risks identified.
"Many organizations are going to find once they go through a risk analysis that encryption is a good security solution for them," Leopard says in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below).
In the interview, Leopard also:
- Stresses that a key to winning the support of senior executives for widespread use of encryption is to portray the investment as critical to preventing breaches and avoiding reputational harm.
- Discusses the breach-prevention value of encrypting data on mobile devices as well as using secure e-mail and virtual private networks; and
- Describes how to work with business associates to make sure they're applying encryption to protect patient information.
- Leopard is a partner at Bradley Arant Boult Cummings. A former hospital executive, she advises clients on a variety of strategic issues. She has more than 25 years of healthcare experience, including serving as vice president at academic medical center and community hospital settings.
HOWARD ANDERSON: For starters, why don't you tell us a little bit about your firm and your role?
AMY LEOPARD: I'm at Bradley Arant Boult Cummings, a very large southeastern law firm with a D.C. office, and I'm a partner in the national office working significantly in the area of healthcare IT. Our firm has about 50 attorneys in the healthcare space and another 40 that do intellectual property. So we work a lot with healthcare providers on their technology solutions.
The Role of Encryption
ANDERSON: When should encryption be a standard for reasonable data management? What do you think?
LEOPARD: ... Our framework for this is to look at the HIPAA security rule. In 2003, when HHS came out with the security rule, they said back then that encryption was not mandatory. It wasn't a standard. What was a standard is that you had to look at your operations and determine whether or not encryption made sense. The analysis that the government gave us to look through and ... make a decision was a risk/benefit analysis where covered entities should be looking at costs and risks and the criticality of the data.
So in 2003, encryption was certainly much more expensive than it is today, and probably the risk was less because we didn't have so many different portable uses, which seem to be a high-risk area. Now, there's a lot more protected health information that's moving and being exchanged. The risks have gone up, and the [encryption] cost has gone down. ... In 2003, we had no consequence in terms of a duty to report to the government or a duty to report to the patient any breaches of PHI [protected health information] that was not secured. That's no longer true. Under the HITECH Act [breach notification rule] we've got a critical regulatory framework. We've got an industry where there's a lot more movement of data that's protected, or should be protected. ... In 2012, I think people are coming to a different conclusion than they may have come to in 2003.
Why Not Universal?
ANDERSON: In light of all that, with so many major health information breaches involving the loss or theft of unencrypted devices or media, what's the reason why the use of encryption isn't more universal yet?
LEOPARD: I think there are a couple of reasons for that. One is just ignorance. There are a number of entities still ... that just simply do not have the organizational expertise to understand IT issues, or are just not keeping up with the technology related to security. That's certainly the case in some really small healthcare provider organizations. But even within the larger organizations, there's some concern about how organizations are keeping up with all of the many IT projects that they have to manage right now. There are a lot of moving parts with the EHR [electronic health record] adoption, which is moving very rapidly. And so I think some organizations may be focusing on that and not so much on the technical infrastructure, and that could really be a detriment if they're moving forward on higher-risk type activities without looking at the underlying fundamentals.
Then of course ... sometimes they're just not current on their risk assessments, so they're not current on where in their organization encryption would be a good solution. They may have encryption, but they haven't rolled it out to all of the areas where the organization faces a risk that could be better managed.
Winning Executive Support
ANDERSON: What advice would you offer for ways to win the support of senior executives for a bigger investment in encryption to help prevent breaches? And how can organizations avoid overspending on encryption technology implementation?
LEOPARD: Senior executives are very busy people, and sometimes they do not have the bandwidth to go through the detailed technical analysis surrounding security risk assessment. So you've got to think about what are the risks they're concerned about. And a lot of the risks that the C-suite is concerned about are reputational-type risks. So I would say start with that. Start with, "Hey, this is something we need to be doing to stay off the front page of the newspaper. This is the kind of thing that can prevent critical reputational harm to the organization." Lead with that, and then follow with some of the other types of risks that the organization faces to help get that support.
As far as overspending, you've got to have a good process there to identify your needs and your priorities to look at what parts of the organization have the biggest risk and where should the priorities be placed. ... Often times that is going to require a look at how and where data is stored, particularly on devices ... Getting that assessment of what's happening within the organization will certainly help focus the spend. And then I think you have to establish solid IT contracting strategies, just like any other contract negotiation, to identify a suitable [encryption] vendor, make sure their key infrastructure is up to the NIST standards and the technology is consistent with the NIST standards. ...
Encrypting Mobile Devices
ANDERSON: What are your insights on under what circumstances mobile devices and media should be encrypted?
LEOPARD: Again, I think it goes back to your risk assessment. The organizations are required under the HIPAA security rule to conduct that risk assessment and, as part of that, address what security safeguards are reasonable. If there are areas that need urgent attention because of the risk - I think that's probably going to be any PHI that is stored ... on a mobile device - then encryption is going to be a very important thing to look at. ...
ANDERSON: What's your advice on when to apply encryption to data in motion rather than data in storage, such as by using secure e-mail or virtual private networks? Should that be part of the routine now?
LEOPARD: Well I think so, if you're looking at using e-mail to either communicate with patients or to communicate about patients to the extent that the users of the particular application are exchanging data about patients. ... You've got to look at how to apply encryption and whether secure e-mail or VPN is going to meet your need. But that's certainly going to be a high-priority area where they're subject to such a high degree of risk.
ANDERSON: As more organizations adopt electronic health records in hopes of receiving financial incentives under the HITECH Act, could that be another catalyst for encryption, do you think?
LEOPARD: I do, I do. I know that to be true. The big thing that has come about by the meaningful use approach is that they're beginning to certify the electronic health record technology and ensure that the basic framework is there for the technology to have encryption as a part of the overall system security and for particular applications. That's good from the vendor perspective. From the provider perspective, the meaningful use rule requires the healthcare provider to actually go through and document their risk assessment and update that and identify where they have gaps, how they're going to close those gaps and what are the assets that they're going to employ in order to manage security.
As I mentioned earlier, many organizations are going to find, once they go through an appropriate risk analysis, that encryption is a good tool, a good solution for them. And although HITECH is not requiring encryption for everything that you do to qualify for meaningful use, certainly it's ensuring that the functionality is there and that you're looking at that risk. So I think that as a natural consequence of looking at that risk that organizations will decide that encryption is going to be one of the important areas for the coming months and years.
ANDERSON: Finally, how should healthcare organizations work with their business associates to make sure they're appropriately applying encryption to help prevent breaches?
LEOPARD: There are a couple of things that healthcare organizations can do to work with their business associates. A lot of times it depends on the level of sophistication that the business associate brings to the table. Some business associates are very, very sophisticated in this space and actually have much more technology understanding than the healthcare organization. At the other end of the spectrum, you have business associates who don't even realize yet that they're regulated by HITECH and that they have breach notice obligations to their healthcare organization client in the event that they breach unsecured protected health information.
The first step is obviously to ensure that, with your business associates, you've identified who's ahead of the curve and who's behind the curve. And then ... look at how business associates are complying with their existing business associate agreements and how those agreements need to be updated for the breach notice obligations under HITECH. ... Ask them ... "What are your plans are today and in the coming months and years to keep up with this evolving standard under HITECH?" Constantly, as the bar gets raised, look and see where your vendor is going. ...