Encryption: Overcoming Resistance

Test-Driving the Latest Technology Can Help Win Support
Encryption: Overcoming Resistance
One key reason why encryption isn't more widely used in healthcare is that some information technology specialists have outdated perceptions about the technology, contends security expert Melodi Mosely Gates.

"Ten years ago, encryption tools weren't very great," says Gates, an attorney at Patton Boggs LLP, Denver. Encryption technologies were expensive and dramatically slowed down the performance of other applications, she acknowledges. "But the tools have gotten much better," she stresses, and costs have substantially dropped. "That's the message that's important to carry to your technical team."

As a result, Gates advises security specialists to launch small-scale pilots of encryption to demonstrate the technology is now practical and affordable. Gates, who formerly served as chief information security officer at Qwest Communications, made her comments at the American Conference Institute's Healthcare Information Privacy and Security Forum Dec. 6 in Philadelphia.

Encryption Tips

Gates also notes:

See Also: Cyber Insurance Assessment Readiness Checklist

  • A key component of encrypting "data at rest" on servers and elsewhere is to conduct a detailed inventory of all hardware where protected health information is stored. Data cannot be adequately protected, she notes, until an organization knows everywhere it resides.
  • When encrypting "data in motion," organizations need to use virtual private networks for remote access to clinical information as well as secure e-mail for data transfer between individuals.
  • Encryption of mobile devices is a time-consuming project, but it's necessary when data is stored on devices. As a result, Gates advises organizations to give careful consideration to prohibiting data storage on many mobile devices, including laptops and smart phones. "It's a great alternative to encryption," she says.
  • Organizations should take advantage of data loss prevention software to help make sure sensitive patient information is encrypted before transmission. Gates also notes that organizations can use DLP to help enforce security policies and provide real-time user education. For example, DLP can send messages to users attempting to e-mail unencrypted sensitive information warning them that the action violates policy.

Security Priorities

HealthcareInfoSecurity's new Healthcare Information Security Today survey shows that:

  • Mobile device encryption and data loss prevention are among the top security technology investments that healthcare organizations plan for the coming year.
  • Only 60 percent of organizations apply encryption to mobile devices.
  • Improving mobile device security is one of the top information security priorities for the coming year.

HITECH Act's Impact

Another catalyst for growth in the use of encryption is the HITECH Act's electronic health record incentive program, which requires that participants use EHR software that includes encryption capability, notes Amy Leopard, partner at the law firm Walter & Haverfield LLP, Cleveland.

Leopard, another featured speaker at the conference, points out that as more organizations apply for incentives after adopting certified EHRs, more will encrypt clinical information. And that, she says, will be yet another key step toward making encryption a "standard for responsible data management" in healthcare.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.