Meaningful Use impact on data encryption could be positive


I recently had a conversation with a computer security consultant who has worked in both banking and healthcare. He rated data security as very poor in most healthcare organizations, and said that banks do a far better job of protecting their sensitive information. What he said jibed with the long list of security breaches--major and minor--that have been reported over the past year.

One of the simplest methods to safeguard data is simply to encrypt all information stored on end-user devices. Not only does that make it harder for hackers to steal the data, but it also lessens the chance that the loss or theft of laptops and other mobile devices will compromise personal health information (PHI).

Of 385 security incidents involving 500 or more individuals since 2009, for example, 55 percent involved unencrypted devices or media, Redspin--which tracks security breaches--reported last month. In 2011, according to the firm, data breaches involving unencrypted devices quintupled.

The proposed Meaningful Use Stage 2 rules encourage--but do not require--encryption of PHI. One of the core requirements for both hospitals and eligible providers reads as follows:

"Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process."

As the Redspin post referenced above pointed out, this falls short of a mandate. But it does go a step beyond Stage 1, which only requires a security analysis. Moreover, the Redspin piece interpreted the Stage 2 provision to mean that organizations should consider encryption as part of their risk analysis and use alternative security methods where encryption would not be "reasonable and appropriate."

Farzad Mostashari, National Coordinator for Health IT, emphasized this point strongly in a press conference at last month's Healthcare Information and Management Systems Society's (HIMSS) annual conference in Las Vegas. Mostashari said that in Meaningful Use Stage 2, electronic health records would have to encrypt PHI "unless there is a good reason not to." Certified EHRs, he said, would have to be able to encrypt data by default on all devices where information is stored.

Encryption is only one part of protecting PHI, and there are many other sophisticated methods of ensuring data security. For example, many CIOs are looking at virtual desktop models to increase security and avoid having to store PHI on either PCs or mobile devices. But it appears that the combination of the Meaningful Use Stage 2 regs and the accompanying rules for EHR certification will make it increasingly difficult to avoid encrypting personal health information. - Ken