Winning Support for EncryptionConsider Taking a 'Test Drive'
Despite the ever-growing list of healthcare information breaches involving the loss or theft of unencrypted devices and storage media, many organizations have yet to widely deploy encryption
Our Healthcare Information Security Today survey shows that only 60 percent of organizations apply encryption to mobile devices, half encrypt backup tapes, and 45 percent encrypt portable storage media such as USB drives.
Ten years ago, encryption tools weren't very great. But the tools have gotten much better.
In one of our most popular stories in December, security expert Melodi Mosely Gates notes that a key reason why encryption isn't more widely used in healthcare is that some information technology specialists have outdated perceptions about the technology (see: Encryption: Overcoming Resistance).
"Ten years ago, encryption tools weren't very great," says Gates, an attorney at Patton Boggs LLP, Denver. Encryption technologies were expensive and dramatically slowed down the performance of other applications, she acknowledges. "But the tools have gotten much better," she stresses, and costs have substantially dropped.
Take a Test Drive
So Gates offers some practical advice on winning support for encryption: Launch small-scale pilots of encryption to demonstrate the technology is now practical and affordable.
While you're at it, be sure to educate encryption skeptics that under the HIPAA breach notification rule, breaches of data that have been properly encrypted do not need to be reported. And avoiding reporting just one major breach can save an organization thousands, if not millions, of dollars.
The cost of encryption can be kept under control, Gates says, if organizations prohibit data storage on many mobile devices, including laptops and smart phones. "It's a great alternative to encryption."
In the year ahead, as more organizations make strides in implementing electronic health records, they need to conduct updated risk assessments and mitigate all the risks identified. Surely encryption should be at the top of the risk-mitigation to-do list.