Encryption is Important, but is it Essential?


The health care industry is currently concentrating on reducing the vulnerability of protected health information (PHI). HIPAA is being reviewed to consider the inclusion of a required encryption of all PHI. As the law stands now, encryption is "addressable," which means that it should be done whenever applicable. According to a report by Forrester Research, 41% of healthcare providers do not encrypt their data.

Security experts are divided on the value of encryption. However, they do agree that other security procedures with employees must also be in place, in addition to the encryption. In other words, access to the system must also be protected.

Some believe that encryption is essential and that HIPAA needs to be strengthened overall. Encryption is especially important for mobile devices, such as laptops or smartphones. According to a survey administered by the Ponemon Institute, 49% of security breaches are due to missing mobile devices.

On the other hand, some believe that encryption can be counterproductive because encrypting all portable media may cause problems for some users. Another issue is that internal monitoring tools search for "anomalous activity," but if the data is encrypted, these tools cannot properly function. There are also high costs associated with encryption, unless an organization is using a certified EHR (which must be capable of encrypting PHI).

Currently, the best defense against hacking is preventing the impersonation of authorized users. Organizations can use a "two-factor" authorization method, which uses a combination of devices like tokens and security questions. Another suggestion would be data segmentation, rather than having a "flat network."

Summary by MedicalGroups.com

To read more from iHealthBeat.com click here