Franken Ponders Encryption MandateAccretive Breach Puts Spotlight on Prevention
Yet another high-profile breach involving a stolen unencrypted laptop is prompting Sen. Al Franken, D-Minn., to consider whether the nation needs an encryption mandate for healthcare information.
The HIPAA Security Rule stops short of explicitly mandating encryption. As I've said before, the time has come for some sort of mandate, given that more than half of the major breaches reported to federal authorities have involved lost or stolen unencrypted devices or media.
The time has come for a true encryption mandate, at least for data on mobile devices, that applies to everyone - not just those participating in the EHR incentive program.
At a May 30 Senate hearing, Franken and others grilled executives from Accretive Health about the company's debt collection practices as well as its recent breach incident, both of which are under scrutiny as a result of the Minnesota attorney general's investigation and lawsuit. In the breach, an unencrypted laptop was stolen from the car of an Accretive employee. The device contained information on more than 20,000 patients.
At the hearing, Franken said he would investigate whether a new law, or a change in regulations, is needed to force healthcare organizations to encrypt laptops that store protected health information, according to media reports. A release from his office said he will review the testimony from the hearing "to determine if legislation is needed to ensure that our laws adequately protect the health privacy and quality of care of patients."
A spokesman for the senator told me Franken "is still in the very early stages of looking into potential legislation, so we don't want to get into any specifics."
Under the HIPAA Security Rule, encryption is "addressable," which means it must be implemented if doing so is reasonable and appropriate - which stops short of an outright mandate.
Two rules for Stage 2 of the HITECH Act electronic health record incentive program put the spotlight on encryption, but also stop short of a mandate. The proposed meaningful use rule for Stage 2 would require participants to conduct a security risk analysis that includes "addressing the encryption/security of data at rest." The proposed software certification rule for Stage 2 includes a provision that the software needs to be able to demonstrate the capacity to encrypt data on mobile devices in circumstances where the EHR technology manages the data flow on the mobile device. That means, for example, that if an EHR system manages data that's stored on a laptop, that data must be automatically encrypted, and the encryption function must be set up so that it cannot be turned off by the average user.
These two proposed provisions are both good steps. But the time has come for a true encryption mandate, at least for data on mobile devices, that applies to everyone - not just those participating in the EHR incentive program. So I'm hopeful that Sen. Franken and other members of Congress will move forward with legislation on this subject. And the best way to tackle the issue is to spell out a mandate by revising the HIPAA Security Rule.