Earlier this summer, the Health Information and Management Systems Society (HIMSS) issued its 2016 Cybersecurity Study, which reported the results of an ongoing research program designed to survey the experience of U.S. health care organizations with respect to cybersecurity.
HIMSS received responses from 150 hospitals and non-acute provider sites between February 15 and May 15, 2016, with respect to the security technologies that those organizations had purchased and implemented, the level of business priority the organization places on cybersecurity, the source of motivation driving their security technology efforts and the barriers to increasing their cybersecurity risk mitigation efforts.
HIMSS reported that most of the providers surveyed (85.3%) indicated that information security increased as a business priority over the past year, and it appears that a significant factor in this increase was the proliferation of phishing attacks and virus, malware and other forms of malicious software. As a result, a significant percentage of the providers indicated that they had purchased and implemented antivirus and anti-malware software (86.0%) and firewall technology (80.7%).
What About Encryption?
However, the percentage of providers that reported using encryption was substantially lower—only 64% used encryption for data in transit and 58.7% encrypt data at rest.
This result with respect to encryption is surprising, given the onerous reporting obligations under the Health Information Privacy and Portability Act (HIPAA) for covered entities that experience breaches of protected health information (PHI).
As noted in the HIMSS report, the lack of encryption “leaves the door wide open to potential tampering and corruption of data, in addition to a large potential for a breach,” particularly in connection with lost or stolen mobile devices. The HIPAA Security Rule designates the use of encryption by a covered entity to safeguard PHI as an “addressable” standard (i.e., the covered entity is not required to use encryption if it reasonably determines that its level of security risk does not warrant it).
Notwithstanding, encryption is useful for covered entities in the case of a breach of PHI, as encryption provides a safe harbor under the HIPAA Breach Notification Rule. If the covered entity can show that the impermissibly acquired, accessed, used or disclosed PHI was encrypted in accordance with guidance issued by the U.S. Department of Health and Human Services (DHHS), the Breach Notification Rule is not triggered and the covered entity is not required to notify patients, DHHS or the media as would be required for breaches of “unsecure PHI” (i.e., unencrypted PHI).
In addition, it is becoming increasingly difficult to argue that health care entities are not at risk in light of the increase of breaches involving hacking and cyber attacks targeting health care networks and e-mail systems in 2016. A reportable breach opens a covered entity’s HIPAA privacy and security policies and procedures to DHHS scrutiny, and it is possible that DHHS could determine that a covered entity’s choice to not use encryption technology is unreasonable. This could expose the covered entity to substantial fines under HIPAA. For this reason, it is important for HIPAA covered entities to engage in thorough and routine risk assessments to determine what security measures are appropriate for their organizations.