It is another typical day in the healthcare news market. A laptop is stolen or lost form a healthcare organization that may have had patient information on it. It is unclear exactly the information that was on the laptop, but due to the uncertainty and the unknown of what happened to the laptop and the fact that the laptop was not encrypted, a large data breach has just occurred. With the mobility of technology on the rise, healthcare is vulnerable and susceptible to large data breaches due to the lack of security in health information. Over 64% of data breaches over 500 individuals is due to theft or loss of media. The questions is how many of these data breaches could have been prevented by encryption.
Under the HIPAA Security Rule, protected health information (PHI) is considered unusable, unreadable, or indecipherable in two separate cases:
Electronic PHI has been encrypted – both for data at rest and data in motion
Media on which PHI is stored has been destroyed by shredding and sanitized where PHI cannot be reconstructed or retrieved.
In both of the cases above, the information becomes secure PHI, which under the Breach Notification Rule is not considered a data breach and doesn’t require a covered entity to report unless the encryption key has also been disclosed.
What exactly is encryption? Encryption is an algorithmic process that transforms data from original text into encoded text. The process provides security around the PHI that would allow it to be free from data interception or data altering in both data that is at rest or data that is in motion. Ultimately by the use of encryption, there is a low probability that anyone other than the receiving party who has the key to unencrypt the data would be able to gain access to the information.
As more media in healthcare continues to become smaller and more mobile, healthcare organization needs to evaluate the use of encryption as the tool to help reduce the number of data breaches that are occurring. With proper use of encryption, healthcare organizations can feel more confident about the process of securing patient information and protecting against potential data breaches.