Encryption: Overcoming ResistanceTest-Driving the Latest Technology Can Help Win Support
"Ten years ago, encryption tools weren't very great," says Gates, an attorney at Patton Boggs LLP, Denver. Encryption technologies were expensive and dramatically slowed down the performance of other applications, she acknowledges. "But the tools have gotten much better," she stresses, and costs have substantially dropped. "That's the message that's important to carry to your technical team."
As a result, Gates advises security specialists to launch small-scale pilots of encryption to demonstrate the technology is now practical and affordable. Gates, who formerly served as chief information security officer at Qwest Communications, made her comments at the American Conference Institute's Healthcare Information Privacy and Security Forum Dec. 6 in Philadelphia.
Gates also notes:
- A key component of encrypting "data at rest" on servers and elsewhere is to conduct a detailed inventory of all hardware where protected health information is stored. Data cannot be adequately protected, she notes, until an organization knows everywhere it resides.
- When encrypting "data in motion," organizations need to use virtual private networks for remote access to clinical information as well as secure e-mail for data transfer between individuals.
- Encryption of mobile devices is a time-consuming project, but it's necessary when data is stored on devices. As a result, Gates advises organizations to give careful consideration to prohibiting data storage on many mobile devices, including laptops and smart phones. "It's a great alternative to encryption," she says.
- Organizations should take advantage of data loss prevention software to help make sure sensitive patient information is encrypted before transmission. Gates also notes that organizations can use DLP to help enforce security policies and provide real-time user education. For example, DLP can send messages to users attempting to e-mail unencrypted sensitive information warning them that the action violates policy.
HealthcareInfoSecurity's new Healthcare Information Security Today survey shows that:
- Mobile device encryption and data loss prevention are among the top security technology investments that healthcare organizations plan for the coming year.
- Only 60 percent of organizations apply encryption to mobile devices.
- Improving mobile device security is one of the top information security priorities for the coming year.
HITECH Act's Impact
Another catalyst for growth in the use of encryption is the HITECH Act's electronic health record incentive program, which requires that participants use EHR software that includes encryption capability, notes Amy Leopard, partner at the law firm Walter & Haverfield LLP, Cleveland.
Leopard, another featured speaker at the conference, points out that as more organizations apply for incentives after adopting certified EHRs, more will encrypt clinical information. And that, she says, will be yet another key step toward making encryption a "standard for responsible data management" in healthcare.