Encryption has been widely talked about as one of the best tools to protect you against potential attacks on your data. For many companies processing credit card payments, encrypting data is required for compliance with standards such as PCI DSS and individual state laws. But if you’re in the healthcare industry, it’s even more important because it’s not required for hipaa compliance.
What is encryption? It takes your data and codes it using a series of mathematical formulas to render it unreadable without a special key to unlock it. There are many different levels of encryption, but the one recommended by the National Institute of Standards and Technology is AES-256 bit, the same standard used by the federal government to encrypt classified documents.
While other industries might have been quick to catch on to encryption, healthcare has not. There have been several reports of various hospitals reporting breaches of sensitive data due to unencrypted files being stolen.
What happens if you decide not to encrypt your data? You’re leaving your business open to an enormous amount of risk. When you don’t have to use something, chances are you probably won’t. But when it comes to sensitive information, not using all the tools possible to protect it can allow people to take advantage of you. Of course, not everything has to be encrypted. But it’s a great idea to decide which specific records or programs need to be encrypted, and plan accordingly.
To get you started, here are four benefits of encrypting your data:
- If your hardware is stolen, encrypted data is not necessarily breached if the encryption keys aren’t compromised as well. This can save you thousands or even millions in fines and fees from credit card companies and/or the government if you have to be compliant with HIPAA or PCI.
- If you’re in the healthcare industry, you can also save money if your encrypted data ends up stolen but not compromised because HHS does not require notification in that case. In fact, if fewer than 500 individuals are affected, the covered entity (such as a hospital or physician’s office) may inform the Secretary of HHS on an annual basis, as long as it is within 60 days after the end of the calendar year in which the breach took place.
- Medical identity theft is harder to detect than credit card theft and is more profitable. Thieves can use sensitive information to fraudulently buy prescription drugs or bill insurances (especially Medicare) for services never received, often leading to millions of dollars in losses and all around headaches. Encrypting your protected health information (PHI) can help prevent would-be thieves from accessing your data and using it for malicious intent.
- The HITECH Act requires everyone to have an Electronic Health Record by 2014, meaning there is a greater reason than ever to keep medical information as protected as possible. The law practically begs for encryption, stating covered entities must have “security methods to ensure appropriate authorization and electronic authentication of health information and specifying technologies or methodologies for rendering health information unusual, unreadable or indecipherable.” It also recommends implementing technologies that “allow individually identifiable health information to be rendered unusable, unreadable or indecipherable to unauthorized individuals when such information is transmitted in the nationwide health information network or physically transported outside of the secured, physical perimeter of a health care provider, health plan, or health care clearinghouse.” While the law doesn’t explicitly say so, encryption is one of the best ways to comply with this requirement.
An important caveat: It’s not just encryption you should invest in, but strong encryption. When encrypted data is breached, part of the reason attackers gain access to sensitive information, like they did with Ashley Madison and VTech is because of weak encryption technologies. When you decide what data is worth protecting, make sure it’s protected well.
While encryption is one tool of many to provide a layered approach to security that is practically required to mitigate risk of unauthorized access, it is not a catch-all. Take a proactive stance against potential incidents by using other measures such as web application firewalls and two-factor authentication along with encrypting your sensitive data so that you are protected if it should fall into the wrong hands.