Skip to main content
Subscribe
  • Sign Up Free
  • Login
  • Subscribe
  • News
    • Current News
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Digital Health
    • Transformation
    • ESG
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Opinion
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
  • Events & Awards
    • Awards
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top Innovators
    • Diversity in Healthcare
      • - Luminaries
      • - Top 25 Diversity Leaders
      • - Leaders to Watch
    • Women in Healthcare
      • - Luminaries
      • - Top 25 Women Leaders
      • - Women to Watch
    • Digital Health Transformation Summit
    • ESG: The Implementation Imperative Summit
    • Leadership Symposium
    • Social Determinants of Health Symposium
    • Women Leaders in Healthcare Conference
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Diversity Leaders Gala
    • Top 25 Women Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Hospital at Home
    • - Workplace of the Future
    • - Digital Health
    • - Future of Staffing
    • - Hospital of the Future (Fall)
  • Multimedia
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
  • Data Center
    • Data Center Home
    • Hospital Financials
    • Staffing & Compensation
    • Quality & Safety
    • Mergers & Acquisitions
    • Data Archive
    • Resource Guide: By the Numbers
    • Surveys
    • Data Points
  • Newsletters
  • MORE+
    • Contact Us
    • Advertise
    • Media Kit
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Insurance
February 07, 2015 12:00 AM

No encryption standard raises healthcare privacy questions

Associated Press
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print

    Insurers aren't required to encrypt consumers' data under a 1990s federal law that remains the foundation for healthcare privacy in the Internet age — an omission that seems striking in light of the major cyberattack against Anthem.

    Encryption uses mathematical formulas to scramble data, converting sensitive details coveted by intruders into gibberish. Anthem, the second-largest U.S. health insurer, has said the data stolen from a company database that stored information on 80 million people was not encrypted.

    The main federal health privacy law—the Health Insurance Portability and Accountability Act—encourages encryption, but doesn't require it.

    The lack of a clear encryption standard undermines public confidence, some experts say, even as the government plows ahead to spread the use of computerized medical records and promote electronic information sharing among hospitals, doctors and insurers.

    "We need a whole new look at HIPAA," said David Kibbe, CEO of DirectTrust, a nonprofit working to create a national framework for secure electronic exchange of personal health information.

    "Any identifying information relevant to a patient ... should be encrypted," said Kibbe. It should make no difference, he says, whether that information is being transmitted on the Internet or sitting in a company database, as was the case with Anthem.

    Late Friday, the Senate Health, Education, Labor and Pensions committee said it's planning to examine encryption requirements as part of a bipartisan review of health information security. "We will consider whether there are ways to strengthen current protections," said Jim Jeffries, spokesman for chairman Lamar Alexander, R-Tenn.

    The agency charged with enforcing the privacy rules is a small unit of the federal Health and Human Services Department, called the Office for Civil Rights.

    The office said in a statement Friday that it has yet to receive formal notification of the hack from Anthem, but nonetheless is treating the case as a privacy law matter. Although Anthem alerted mainline law enforcement agencies, the law allows 60 days for notifying HHS.

    The statement from the privacy office said the kind of personal data stolen by the Anthem hackers is covered by HIPAA, even if it does not include medical information.

    "The personally identifiable information health plans maintain on enrollees and members — including names and Social Security numbers — is protected under HIPAA, even if no specific diagnostic or treatment information is disclosed," the statement said.

    A 2009 federal law promoting computerized medical records sought to nudge the health care industry toward encryption. Known as the HITECH Act, it required public disclosure of any health data breach affecting 500 or more people. It also created an exemption for companies that encrypt their data.

    Encryption has been seen as a controversial issue in the industry, particularly with data that's only being stored and not transmitted. Encryption adds costs and can make day-to-day operations more cumbersome. It can also be defeated if someone manages to decipher the code or steals the key to it.

    In fact, Anthem spokeswoman Kristin Binns said encryption would not have thwarted the latest attack because the hacker also had a system administrator's ID and password. She said the company normally encrypts data that it exports.

    But some security experts said a stolen credential by itself shouldn't be an all-access pass to encrypted data.

    Martin Walter, senior director at RedSeal Networks, a Silicon Valley cybersecurity firm, said encryption can be tuned to limit the data that even authorized users can view at one time. That makes it harder for an outsider to copy a whole stockpile of records.

    Under the HITECH law, the government set up a public database listing major breaches, known informally as the "hall of shame." Breaches on that list affected more than 40 million people over a decade, meaning that the Anthem case could be twice as damaging as all previous reported incidents combined.

    Indiana University law professor Nicolas Terry said it seemed at the time of the 2009 law that the government had struck a reasonable balance, creating incentives for encryption while stopping short of imposing a one-size-fits-all solution. Now he's concerned that the compromise has been overtaken by events.

    "In today's environment, we should expect all healthcare providers to encrypt their data from end to end," said Terry, who specializes in health information technology.

    If the voluntary approach isn't working, "HHS should amend the security rule to make encryption mandatory," he said.

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    surprise-billing_0.png
    SCAN, CareOregon help erase $110M in medical debt
    diversity2_i.png
    How Connecticut's Broker Academy targets health disparities
    Most Popular
    1
    More healthcare organizations at risk of credit default, Moody's says
    2
    Centene fills out senior executive team with new president, COO
    3
    SCAN, CareOregon plan to merge into the HealthRight Group
    4
    Blue Cross Blue Shield of Michigan unveils big push that lets physicians take on risk, reap rewards
    5
    Bright Health weighs reverse stock split as delisting looms
    Sponsored Content
    Daily Finance Newsletter: Sign up to receive daily news and data that has a direct impact on the business and financing of healthcare.
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Digital Health
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • ESG
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Opinion
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Events & Awards
      • Awards
        • Nominate/Eligibility
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Excellence in Governance
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top Innovators
        • Diversity in Healthcare
          • - Luminaries
          • - Top 25 Diversity Leaders
          • - Leaders to Watch
        • Women in Healthcare
          • - Luminaries
          • - Top 25 Women Leaders
          • - Women to Watch
      • Conferences
        • Digital Health Transformation Summit
        • ESG: The Implementation Imperative Summit
        • Leadership Symposium
        • Social Determinants of Health Symposium
        • Women Leaders in Healthcare Conference
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Diversity Leaders Gala
        • Top 25 Women Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Hospital at Home
        • - Workplace of the Future
        • - Digital Health
        • - Future of Staffing
        • - Hospital of the Future (Fall)
      • Webinars
    • Multimedia
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • Data Center
      • Data Center Home
      • Hospital Financials
      • Staffing & Compensation
      • Quality & Safety
      • Mergers & Acquisitions
      • Data Archive
      • Resource Guide: By the Numbers
      • Surveys
      • Data Points
    • Newsletters
    • MORE+
      • Contact Us
      • Advertise
      • Media Kit
      • Jobs
      • People on the Move
      • Reprints & Licensing