Blog: Getting serious about locking up the data

Encryption is a standard security procedure for moving patient information over the Internet, but not so much for patient records just sitting there on a computer not going anywhere.

So one thing that jumps out in the CMS' new Stage 2 meaningful-use rule is the increased emphasis on encryption for so-called data at rest—that is, patient-identifiable records on servers, hard drives and portable devices.

Under Stage 1 rules, providers are required to perform a risk assessment, as they are required to do under the security provisions of Health Insurance Portability and Accountability Act.

Now under Stage 2, they must give serious consideration to encrypting that data (PDF, see pages 132-136).

Why the change in emphasis?

We know from the number of breach incidents reported to the Office for Civil Rights at HHS that what the industry has done so far is—how can I put this delicately?—simply spew patient data with little regard for the consequences. You think I'm being too harsh?

In March, an OCR official, Susan McAndrew, said that more than 50,000 breaches had been reported to her agency since late 2009, when healthcare organizations were first mandated by the American Recovery and Reinvestment Act to notify the feds of their breaches. The ARRA also required the OCR to create a Web page and post information online about the larger breaches, those affecting 500 or more individuals.

Its "wall of shame" now lists 489 of these major breaches. Add them up and that's more than 21 million patient records that have been exposed to who knows whom and gone to who knows where.

The new CMS rule calls out this abominable record.

"Recent HHS analysis of reported breaches indicates that almost 40% of large breaches involve lost or stolen devices," the rulemakers said. “Had these devices been encrypted, their data would have been secured. It is for these reasons that we specifically call out this element" of the HIPAA security rule as a meaningful-use measure.

HHS rulemakers were careful to point out they are not members of Congress, not wanting to risk another dust-up on Capitol Hill.

"We did not propose to change the HIPAA security rule requirements or require any more than is required under HIPAA," the rulemakers said. "We only emphasize the importance of an EP (eligible professional) or hospital including in its security-risk analysis an assessment of the reasonable and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure."

This increased emphasis on encryption of data at rest is in keeping with an earlier recommendation of the federally chartered Health Information Technology Policy Committee.

It could influence a big change by the industry, and one for the better.

Follow Joseph Conn on Twitter: @MHJConn.