A hospital’s primary goal is, of course, to improve clinical outcomes—to heal the sick and to cure what ails us. In the process of curing people, healthcare providers and physician practices are generating data at a record pace. All of this data needs to be stored—and it needs to be stored safely.
To complicate matters, IT departments must be cognizant of other influences. Not only must they protect patient data, but they must make certain it remains accessible to all stakeholders. The need to balance information security with information access is a long-standing healthcare conundrum that precludes utilizing certain complex storage architectures that might otherwise be effective.
Additionally, IT departments are expected to keep costs down, paying heed to budgetary restraints, like every other department. And then there is the elephant in the room—HIPAA.
HIPAA: The Law of the Land
HIPAA’s privacy and security regulations dictate that protected health information (PHI) be rendered “unusable, unreadable, or indecipherable to unauthorized individuals.” At this point in time, encryption is key to ensuring the safety of data that is being transmitted or stored. It is optimal, in our estimation, to seamlessly encrypt data, in storage and in motion, so that sensitive data is never compromised. While HIPAA guidelines were designed to protect patients’ privacy, it has also created a wonderful legal—and financial–impetus for healthcare organizations to protect private information. Failure to protect data, per HIPAA, can result in fines and huge remediation expenses. In other words, it pays to keep data safe and sound.
Shooting at a Moving Target
Let us first consider data “in motion.” That would include the mountain of email we send and receive daily, our Skype calls and instant messages, our public and private social media posts, file transfers to the cloud, and a plethora of other digital data exchanges. While transmitting data has become increasingly effortless, it has also made data more vulnerable to exposure to unauthorized parties.
Data at Rest
After our sensitive and (hopefully) private data is received, it will be opened, accessed, unencrypted, evaluated, shared and, ultimately, stored. These “resting places” include the hard drives on desktop computers; laptops and peripheral drives; backed-up copies on local networks or internally-managed archiving systems; and data we’ve whisked off to the cloud.
The fact is, sensitive data is everywhere, in motion and at rest. When data is encrypted, it is rendered unusable to unauthorized sources. When it is left unencrypted, all sorts of negative consequences can occur. So why don’t we always encrypt?
With frightening regularity, the news media publishes stories of data breaches. It seems no one is immune to hackers and data mishaps. Governments, major corporations, credit card companies, banks, celebrities, healthcare providers and even media outlets have been victimized. In many of these cases, the resultant damage could have been mitigated had the data simply been encrypted. What’s holding us back?
There is a perception that encryption is complicated, unwieldy and simply not worth the effort. Isn’t a data breach one of those things that happens to someone else? Likewise, as individuals, we prefer to react to things, rather than be proactive. That’s our nature. We’ll wait until the roof starts to leak before we’ll replace weathered shingles. We’ll react to the loss of a company-loaned laptop, rather than make sure, in advance, that the data stored on a laptop is secure. And, in some cases, our legacy encryption systems simply can’t protect the data we’re generating today.
Steps toward Security
- Help your corporate decision-makers understand the depth of the consequences of data breach. Not only can your organization be fined for the breach of PHI, but the public notice requirement now means your organization’s reputation is at stake. The expense of developing an encryption policy to protect your confidential data, in motion and at rest, is a marginal expense, by comparison.
- Develop an arsenal of policies for protecting data. At the top of this list should be an employee-targeted policy for encrypting data transmitted on any company-owned or personal device. Require that all confidential material be sent in a secure fashion when using email, file transfer, text message or social media post.
- Another policy should explain, in specific terms, how data should be encrypted when stored on file servers, ftp sites, databases, content management systems and other content-distributing networks.
- To add “teeth” to your encryption strategy, compose a guideline to address the consequences of a violation of your corporate encryption policies and the use of personal devices for transmitting sensitive data.
- Finally, there are myriad encryption solutions available. It is critical to select an appropriate solution that suits your specific needs. Develop an intimate understanding of your confidential data—who has it; where it’s located within your system; and the potential repercussions of a data breach. This will go a long way in helping you choose appropriate encryption software and data storage providers.
In the modern healthcare environment, sensitive and confidential data is ubiquitous. While encryption is the key to the safety and security of this data, it may be even more critical to develop encryption policies that are fully embraced by employees. There is no good reason for not encrypting confidential data. Your patients—and your organization—will benefit from it.