HHS Should Require the Encryption of Portable Devices to Curb Health Data Breaches
Written by Harley Geiger
Many companies use encryption on their portable devices, but the continuing parade of health data breaches demonstrates that too many organizations have yet to do the same. The U.S. Dept. of Health and Human Services (HHS) should consider revising the Security Rule to outright require encryption for portable devices containing the protected health information of 500 or more patients. Setting a floor of 500 patients dovetails with current breach notification reporting requirements and also avoids burdening physicians who want to access the health information of a small number of individuals on, for example, a smart phone. A regulatory requirement like this may have prevented the breach of health data on nearly six million individuals over the past year and a half.
Latest health data breach is severe
Earlier this week, Health Net – a large health insurer – announced a breach of sensitive information on nearly two million people. The breached information includes names, addresses, Social Security numbers, health and financial information. The information was held on hard drives that were likely discovered missing in early February. Not all the details are out yet, but the fact the notification was issued at all makes it unlikely that the drives were protected with encryption. This is a massive breach of information that is about as sensitive as it can get.
Particularly troublingly, this is Health Net’s second big data breach in two years. In 2009, Health Net lost the Social Security numbers and medical information of 1.5 million policyholders. In that case, the information was held on an unencrypted portable drive – contrary to Health Net’s internal policies – and Health Net waited six months before reporting the incident. The Connecticut Office of Attorney General, then led by (now Senator) Richard Blumenthal, sued Health Net on behalf of the nearly half million Connecticut enrollees affected by the breach. Blumenthal was the first to take advantage of a provision in the 2009 HITECH Act that empowered state AGs to enforce HIPAA. The Vermont AG’s Office sued Health Net soon after.
The AGs’ suit against Health Net sought, among other things, a court order that would require Health Net to encrypt any protected health information contained on a portable device. Under the Connecticut and Vermont settlements, Health Net promised to encrypt all hard drives on its laptop and desktop computers, as well as (under the Vermont settlement) all other external drives or devices. Health Net also promised to train its employees on encryption and the safe usage of portable devices. Health Net, in fact, agreed to a whole slew of privacy protection efforts under the settlement terms.
This begs the question – what will it take to get more health care companies to encrypt portable devices containing patient information? To encourage encryption, Health Net had internal policies, HIPAA regulations, at least two settlement agreements, and the sheer cost – financial and reputational – of a large data breach. Yet, two years later, Health Net experienced an even more severe breach. Presently, there is no explicit federal requirement that companies encrypt portable devices containing patient health data, yet unencrypted portable media are among the most common causes of data breaches.
Unencrypted portable devices are top cause of breach
Smart phones, thumb drives, laptops and other portable devices have become a mainstay of business equipment, but they carry unique risks, including for the security of health data. According to HHS, a top cause of breach of patients’ health data is the loss or theft of portable devices, such as laptops and external hard drives. A recent report – issued prior to the latest Health Net breach – from Redspin, an IT security audit company, crunched the numbers HHS provides on data breaches and came up with some interesting figures. The report examined 255 breaches that affected 500 or more individual patients since HHS issued its breach notification rule in August 2009. Over that period, the Redspin report found that the health records of more than six million people had been compromised. Forty-four percent of all incidents and 65% of all records breached – nearly 4 million records – involved a portable media device, such as a laptop. According to Redspin, twice as many individuals were affected by data breaches arising from portable devices than non-portable devices, such as desktop computers or network servers.
For most companies storing or using sensitive information, ensuring the security of portable devices is a high priority. Many health care organizations use encryption – long recommended as a crucial safeguard – to protect the data on their portable devices. Still, the breach notification data indicate that the security of portable devices remains a big vulnerability. Federal law includes some incentive for organizations to encrypt their data, but that incentive is limited.
Limited legal incentive to encrypt
The HIPAA Security Rule requires “covered entities” (such as hospitals or physician offices) or their business associates to use security measures that are “reasonable” and “appropriate” to protect health data, including encryption. However, covered entities can determine that encryption is not appropriate to protect health information in portable media, in which case they must document their decision and use an “appropriate” alternative protection to meet the Security Rule standards. So, while the Security Rule requirements of reasonable and appropriate safeguards are not optional, covered entities have some leeway with regard to the use of encryption on portable devices.
Similarly, HHS’ August 2009 breach notification rule offers an incentive – rather than an outright requirement – for covered entities to use encryption. The breach notification rule requires covered entities to notify patients and report to HHS when they experience a data breach affecting 500 patients or more. In some cases, the covered entity must also notify the media. This notification is not only expensive for covered entities, but the data breach also erodes patient trust in the covered entity. HHS’ rule allows covered entities to avoid breach notification requirements if, prior to the breach, the covered entity used encryption or another method to render the data unreadable to unauthorized parties. However, the rule does not require covered entities to notify patients or HHS of the data breach if they determine the breach does not carry a “significant risk of harm” to the patient. (See CDT’s blog post on the problematic “harm standard.”)
At least one state requires encryption for portable media. In 2009, Massachusetts issued rules requiring businesses to encrypt all portable devices and laptops that contain personal information about a Massachusetts resident. The personal information triggering the requirement is the resident’s name in combination with social security number, state-issued ID number (such as driver’s license), or financial account number (such as credit or debit card). This was likely standard practice for many businesses already – industry groups have had similar requirements for their members for years, such as the Payment Card Industry Data Security Standard. The deadline for complying with the Massachusetts law was March 1, 2010, so we are just over a year into its implementation. Evidently, there have been few enforcement actions taken to date, but in time we may get more insight into how effective this law is in preventing data breach.
Encryption a good start, but not enough on its own
Encryption is not, of course, a panacea for data security. Companies storing sensitive data must also control access to the data, train employees, conduct oversight into business associates and partners who might also handle the data, and effectively manage encryption keys. These additional protocols broke down in the case of TJX’s huge loss of customer records – which were encrypted. No protection is perfect and data breaches will inevitably continue to occur – perhaps at an increasing rate as the nation’s health care system transitions to electronic health records.
However, breaches can be mitigated. HHS has stated numerous times that preserving patient trust in the security of health data is of fundamental importance to a sound health care system, but breaches like that of Health Net undermine this trust. While it won’t prevent every breach or ensure compliance from every business, an explicit requirement to encrypt portable media containing large quantities of patient information could go a long way towards cutting down on a major vulnerability affecting millions of people.