Why encryption is crucial to your organization

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthcareitnews.com/blog/why-encryption-crucial-your-organization

Technology poses a constant dilemma.

On one hand, it makes our lives easier and, in many cases, more efficient.
However, it also leaves those who don’t understand or respect data security
vulnerable to thieves, and the healthcare industry is a place where this
reality rings especially true.

Believe it or not, healthcare data security laws have been on the books for
quite a while. But what’s a law without enforcement? As a consequence of
the Affordable Care Act, the government is now enforcing the data security
laws, and major fines are being levied against noncompliant organizations.

Take the Hospice of North Idaho, for example. When one of its laptops
carrying the health information of 441 patients was stolen, it cost the
organization upwards of $50,000 in Department of Health and Human Services
fines.

In terms of data breaches, this fine — which mirrored the size of the
breach itself — is relatively small, but with this ruling, the HHS was
sending a clear message: Whatever the size of the breach or company, it’s
no longer optional to encrypt your electronic patient data.

Advanced Technology Requires Advanced Safeguards

There’s no doubt that information technology advancements have been highly
beneficial to healthcare. Doctors are now able to send information to
colleagues and providers at a much faster rate than in the days of paper
charts, resulting in more efficient patient care. Indeed, smartphones and
tablets are improving nearly every aspect of the healthcare system.

However, this advancement also creates risk. For example, before electronic
health records, physical access was required to retrieve vital records.
Now, a hacker can potentially break into a system remotely and steal
patient information.

It’s an intimidating thought, and when you couple it with HIPAA/HITECH
fines that can reach well into the millions, it’s easy to miss the days of
paper records and locked file cabinets.

The Ease and Importance of Encryption

No organization is immune to the threat of security breaches, but
implementing data encryption is a major safeguard that will protect
confidential patient information and your organization’s reputation. Here
are two important reasons to encrypt your data:

- It’s easy. As more healthcare organizations take the necessary steps to
secure data, more security companies are stepping in to streamline the
process. Security is good business, which means people are competing to
provide the best, most convenient solutions.
- It’s cheaper. There’s one very important thing to remember about
companies that are fined under the HIPAA/HITECH regulations: If they had
encrypted their stolen data, they would have been protected from possible
fines. If your information is stolen but was properly encrypted, you can
escape these costly fines. However, even without government involvement,
failing to encrypt is an expensive prospect. It will not only damage your
reputation in the eyes of potential business partners and patients, but it
will also produce lawsuits as a result of stolen data, which can quickly
accrue expenses.

Equip Yourself

The good news is that security advancements are keeping pace with the
advancement of information technology, and implementing encryption for
patient data is no longer all that different from adding an extra lock to a
filing cabinet.

Here are three concrete steps you can take to secure your patient data:

1. Full Disk Encryption

This is the digital equivalent of putting a deadbolt on your records room.
It’s also what you need to receive safe harbor from HIPAA fines in the
event of a lost or stolen device containing sensitive data. It’s vital to
ensure your encryption has FIPS-140-2 validation because encryptions
solutions without it aren’t covered under safe harbor.

2. File Encryption

If full disk encryption is the deadbolt, file encryption is the secret
code. This second line of defense will ensure that even if a hacker gains
access to sensitive information, it’s very unlikely he’ll be able to read
any of it.

It’s crucial that you have a system put in place to track where these files
go and who has access to them. Without a predetermined way to keep track of
them, digital copies can easily get lost in the system.

3. Mobile Security

Tablets and smartphones can make accessing and modifying patient
information incredibly easy, but when it comes to security, they’re highly
susceptible to hackers.

It’s crucial that there’s a central control of all medical mobile devices,
as well as a way to verify that encryption is enabled on all remote
technology. If a phone gets lost or stolen, you can verify that your data
is safe.

Safeguarding patient data is no longer optional. From government fines to
customer rapport, encryption can save you from a lot of financial and
branding pain. Luckily, encryption and data security are becoming easier
for IT professionals and end users alike to manage, and as more healthcare
organizations implement it, it will only improve. Take the easier path, and
start encrypting today.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!