The massive hacks at Anthem and Community Health Systems should boost the use of data-encryption technology, but the high-tech tool may not keep sensitive information from the clutches of sophisticated hackers, experts say.
The cyberattacks, which officials say may have come from China, exposed personal information on tens of millions of individuals—more than the populations of California, Texas, Nevada and New York combined.
Hospitals and physician practices have been criticized for failing to mask their data. A Healthcare Information and Management Systems Society survey last year found about three-fourths of hospitals and half of physician practices used some form of encryption.
What's needed now is a level of data protection as sophisticated as the criminal and state-backed hackers haunting the networks where data flow. “There is no silver bullet,” said Ken Westin, senior security analyst with Tripwire, a Portland, Ore.-based data security firm. “One tool isn't going to cut it. There is a whole policy that needs to be implemented.”
President Barack Obama signed an executive order Friday calling for the creation of a national cybersecurity framework to reduce risks to “critical infrastructure” that includes systems and assets for “national public health or safety.”
In a security summit address before the signing, Obama said Internet technology that connects the nation “empowers us to do great good, can also undermine us to do great harm.”
In the wake of its breach of 4.5 million records, CHS said it would add encryption as well as audit and internal surveillance technologies to its defenses.
But Anthem spokeswoman Kristin Binns said encryption probably wouldn't have protected the company's 80 million stolen records because of the high level of administrative access obtained by the intruders.
Meanwhile, the federal government still isn't requiring the healthcare industry to use encryption, which electronically scrambles information and renders it unintelligible to any computer or reader without a decryption key.
Policymakers running the $28 billion electronic health-record incentive payment program require participating vendors to include data encryption technology in their software, but it can be turned off by providers without losing meaningful-use incentive payments.
“A very small business might approach what's the right security for it that's different than for a very large business,” said Lucia Savage, an official in the Office of the National Coordinator for Health Information Technology. The safe harbor is an incentive to encrypt, she said, but, “It's up to the businessperson to decide whether to take advantage of the incentive.”