HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Data Breach Report Demonstrates Why Healthcare Data Encryption is Essential

The California State Attorney General has released a damming report on the state of data security in the healthcare industry, and in doing so has highlighted an essential need for the healthcare industry to encrypt patient data across all mobile devices such as laptops and Smartphones.
70% of data breaches which have affected the healthcare industry in California involved the loss or theft of portable hardware on which protected health information was stored. In other industries, breaches of this nature only accounted for 19 percent of reported breaches.
The healthcare industry is particularly vulnerable due to the nature of the data stored and its value to thieves. The wide range of portable devices used in the healthcare industry also makes it an easy target for cyber criminals.
According to the report, between 2012 and 2013 there were 25 data breaches affecting the healthcare industry which accounted for 15% of the total number of data breaches reported for the year and involved 1.5 million potentially compromised records. The retail industry was hit particularly hard with 43 breaches which accounted for 84% of the total data breaches and involved 15.4 million records.
The data breaches affecting the retail industry are mostly caused by malware which accounts for 88% of the total number of incidents during this period. In contrast to all other industries, malware is not a major issue for the healthcare sector and accounted for only 9% of data breaches.
With loss and theft of devices top of the list of causes it is clear that robust data encryption is essential in order to protect confidential health information. It may not be possible to prevent theft or the misplacing of mobile devices; however it is possible to stop data from being accessed by unauthorized individuals with encryption. Data encryption should similarly be used to securely transmit data.
Organizations are required to submit notices of data breaches to advise consumers of any data which has potentially been viewed by unauthorized third parties. Since the office of the Attorney General must also receive copies of these communications, it is in the unique position of being able to monitor the quality of data breach communications which are being sent.
The report references these communications and questions the use of college level language to explain data breaches to Americans, who on average have an eighth grade reading level. When data breaches occur, notifications should communicate the issue in language the average American will be able to fully understand.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.