Should HIPAA be Expanded to Improve Defenses Against Hackers?

The recent massive data breach at Anthem Inc., has caused HIPAA Privacy and Security Rules to come under the spotlight, with many asking if the legislation – in its current format – goes far enough to protect the privacy of patients and health plan members.

The Anthem breach could potentially have been avoided had the insurer used full data encryption along with the appropriate security controls to keep the security keys private. HIPAA Rules could certainly be tightened to improve data security, but that is no guarantee that healthcare organizations would comply promptly and implement those additional controls.

HIPAA does not currently specify that an organization must use data encryption, only that the issue should be addressed. Data encryption is therefore voluntary and according to a Forrester Research report released in September 2014, only 59% of healthcare organizations had implemented full-disk encryption or partial encryption of healthcare data.

Before covering the question of whether legislation needs to be tightened, here is a refresher of what legislation has been introduced to date and how the Act has changed to improve data security standards (a full history of the legislation can be found on our ‘HIPAA History’ page).

A Brief History of HIPAA Privacy and Security Measures


The Health Insurance Portability and Accountability Act was first introduced in 1996, and has since been adapted to keep pace with technology. It now requires covered entities to adopt a number of privacy and security measures to keep the data of its patients, plan members and employees protected and secure.

The Act has been instrumental in bringing about change in the healthcare industry and introducing minimum standards for data security. Over almost two decades the legislation has helped the healthcare industry bring its policies, practices and IT systems up to date. Compliant healthcare providers and insurers have now implemented a number of security controls – administrative, technical and physical – to safeguard ePHI and personal information and prevent unauthorized access to data.

Since HIPAA was first introduced it has been amended on a number of occasions. The Meaningful Use Program was introduced to encourage healthcare providers to switch from paper files to Electronic Health Records (EHRs), and the HITECH Act that followed addressed the issues of controlling access to electronic health records and making sure they were properly protected.

This led to the introduction of the HIPAA Privacy Rule and HIPAA Security Rule which fine tuned HITECH regulations and addressed a number of critical privacy and security issues. Further amendments were made with the introduction of the Omnibus Rule, while the Enforcement Rule ensured that the legislation could be policed effectively and penalties issued for non-compliance and preventable data breaches.

One of the main purposes of HIPAA legislation is to force the healthcare industry to adopt a number of safeguards and to ensure there is a minimum national security standard for healthcare data.

Enforcing HIPAA Legislation


The Act has been largely successful but the healthcare industry has been slow to implement the changes that the Privacy, Security and Omnibus Rules demand. HIPAA legislation may set the standard, but unless the industry is monitored and the legislation properly policed, full adoption of the measures required by HIPAA laws will be slow to be implemented.

The Department of Health and Human Services’ Office for Civil Rights has been policing HIPPA more rigorously in recent years and introduced a compliance audit program in late 2011. The pilot audit of 115 healthcare organizations revealed numerous violations were being committed and there were significant failures by covered entities to implement the necessary controls. IT Security was simply not a major issue for many healthcare providers.

The second round of audits has been delayed, and while the start date has not yet been announced they are expected to begin this year. A permanent audit program could well follow.

The OCR issued a number of heavy fines in 2013 and there were even more major settlements in 2014 with organizations that had committed serious HIPAA violations and caused large scale exposure of healthcare data.

Does HIPAA Go Far Enough?


Legislation updates are unlikely to bring about fast change in the healthcare industry as data privacy and security rules introduced in 2000 and 2003 are still not universally being followed. Instead of increased legislation, it is perhaps better to concentrate on enforcing the rules that have already been introduced.

The OCR has now implemented a new web portal to streamline the collection of documents by auditors, which should make the process more efficient and allow the OCR to conduct more audits in the future, while improved guidance on how to achieve compliance would certainly be welcomed.

Making data encryption mandatory is one amendment which could have a major impact on data security and prevent many breaches, although it is not the only method that can be employed to provide the required protection and the system is not infallible.

Data Encryption is Not a Universal Solution


According to a statement released by Anthem, its spokeswoman, Kristin Binns, advised the Associated Press that “the hacker had a system administrator’s ID and password, which would have made encryption a moot point”.

If the data had been encrypted, the security key would have been accessible and the data protection rendered useless. The hacker was able to steal numerous login names and passwords and gain access to everything, which would have bypassed data encryption protections had they been installed.

Questions are being asked about how an insurer of this scale – with such a large volume of records – could not have used data encryption, although the real question is how could the hacker was able to gain access to 80 million sensitive records so easily.

Simply encrypting data is not sufficient to prevent data breaches. It may not be possible for thieves to access encrypted data without a security key, but if they are able to obtain that key it offers no protection.

Multi-level security systems are therefore required and data encryption can be an important part of that, provided IT healthcare systems also have additional administrative and technical security controls to protect data.

Protection of Data Stored on Mobile Devices


It is not the threat from hackers which makes the case for mandatory data protection, but the volume of data breaches which could have been prevented in recent years if data encryption had been used.

Data exposure from the loss or theft of mobile devices is something that can easily be prevented with data encryption, and given the volume of devices lost or stolen over the past two years; a legislation update to cover these devices is likely to substantially improve privacy protection.

That will be something for the Senate Health, Education, Labor and Pensions committee to discuss and it is a is a question likely to cause much debate over the coming weeks and months.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.