Encryption grows as an important line of defense
As security risks multiply, making data unreadable is key to protecting patient information.
Ransomware. Malware. Phishing attacks. Medical device vulnerabilities. Hackers probing for network gaps.
These are among the consistent challenges for healthcare IT and security executives. With so many gambits to access systems, protecting data has become paramount. The use of data encryption software is a powerful weapon in that regard, but one that’s used on a fragmented basis.
Healthcare organizations have multiple information systems and not all of them are encrypted, so the organizations remain unprotected, says Will Long, chief information security officer at Children’s Health in the Dallas area with three hospitals and 35 sites of care. “A lost laptop not encrypted still is one of the biggest causes of a data breach.”
As providers face more security challenges, they’re taking a fresh look at encryption technology.
Encryption encodes data so only authorized personnel can access the data with a decryption key.
There are three primary ways encryption protects data, says Keith Fricke, principal consultant at twSecurity, a consulting firm. The first way is data in motion, under which data is encrypted as it moves across a network from one system to another. Data at rest means a file is encrypted or the disk storage on which data resides is encrypted. The third option is database encryption, which converts data in a database into plain text format using a secret code.
Encryption can and should be widely
deployed, experts say. For example, all USB thumb drives in an organization should be encrypted, Fricke advises. Healthcare organizations should make sure that encryption put on employee laptops is seamless, with the encryption tied to the user’s login on the laptop. If an employee logs in and tries to open a file, the encryption system should decrypt and show the file.
However, encryption is not a panacea for data protection—it won’t cure all of an organization’s security ills, notes Sean Murphy, vice president and chief information security officer at Premera Blue Cross. However, it is a foundational protection strategy.
“Much like HIPAA is just the floor for a mature information protection strategy, encryption is a baseline standard for data at rest and in transit,” Murphy explains. “You really cannot make an operational or clinical argument against encryption of data with the sophistication of cypher technologies and computational power these days.”
The effectiveness of encryption is best viewed from a defense-in-depth approach, he continues. Encryption by itself makes it harder for an adversary to gain access, but that’s just a start. “You need robust identity and credential protection, and monitoring as well,“says Murphy. “Without these controls, encryption is ineffective, because a stolen credential could allow unauthorized access because the correct decryption keys are present.”
Murphy increasingly is focusing attention on encryption of text messages and SMS messaging from one phone to another phone. As patients and other customers are adopting or demanding more mobile apps for communication, Premera developers are providing tools to put information and care where members are. “That interaction may involve sharing protected health information so protection of the data in transit is required, as we do for traditional email communications.”
Finding a safe harbor
Large healthcare entities are more likely to use encryption because a big breach can be so difficult and expensive to resolve, and any breach can impact many patients, says Linn Freedman, chair of the data privacy and cybersecurity team at the Robinson & Cole law firm.
If an encrypted laptop, desktop computer or other device is stolen or lost, the organization does not need to notify patients or the HHS Office for Civil Rights, which regulates the breach notification rule, Freedman explains. It is as if the incident never happened. The same is true under most state laws, she adds, so larger organizations use encryption for risk reduction. That’s based on the premise that a hacker can’t decipher and use encrypted data.
But there is a caveat, Freedman notes. “Hackers still can use phishing emails, so unless the organization has every bit of data encrypted, hackers can get in through email.” Then, a hacker can not only get health information but finance and payroll data as well.
“Encryption is getting to the point where it is absolutely necessary, especially with mobile devices,” says Heather Roszkowski, network chief information security officer at University of Vermont Health Network. “To pick the right encryption, understand what you want the product to do, such as cover email, mobile devices or information systems. Talk to other organizations using the encryption being considered and ask how difficult it is to deploy and level of user satisfaction. We also switch vendors as the network becomes more complex if we need to.”
Erik Decker, chief information security officer at the University of Chicago Medicine, works for a provider that has sophisticated individuals and resources to make the organization less susceptible to attackers. He worries about smaller shops that don’t have the resources to match the threat level.
That’s why Decker is leading a task group working with the Department of Health and Human Services to develop cybersecurity guidance, including proper use of encryption, for hospitals and practices of all sizes. But not everyone is getting the message.
Some small organizations believe they are too small to be attacked, Decker says. They don’t appreciate the potential impact if they are attacked and lack protection from encryption and other security tools.
“We’re trying to raise the level of awareness for small and medium practices and show them how an incident would relate to their own practices,” Decker explains.
That said, encryption is important but it’s not a silver bullet, he adds. “There are a lot of different types of encryption and some do nothing, so be careful about what you are buying.”
It is easy for a provider, insurer or vendor to become complacent because it is using encryption so it may fail to see big holes in its security posture.
For example, a hard drive at a hospital may be encrypted and the information it holds is protected. But if an employee’s computer does not have antivirus software, when a Word or PDF file is opened other files in the network can be infected.
“Once you boot up the operating system, malware is just another piece of software scrambling your files,” Long says. □