The healthcare industry has been bombarded with calls to protect patient health information by encrypting it. Speaker after speaker at last week's eighth annual conference on safeguarding health information, co-sponsored by the National Institute of Standards and Technology and the Health and Human Services Department's Office for Civil Rights, brought this point home.
For instance, Deven McGraw, new deputy director of OCR's health information privacy division, pointed out that encryption, while a not required under HIPAA, is still a "best practice" and isn't optional--it still needs to be addressed.
Jocelyn Samuels, head of OCR, reminded attendees that encrypted data that is lost or stolen falls within a "safe harbor" and doesn't need to be reported to HHS. That's helpful, since OCR investigates every data breach of 500 or more individuals, which is common when an EHR is compromised. She went on to say, in announcing the latest resolution agreement settling allegations of HIPAA violations with a medical group that had an unencrypted laptop stolen, that encrypting data "reduces the likelihood of a breach of protected health information."
Encryption has been held out to be the paradigm.
So what are we to do when it's revealed that encryption doesn't protect patient data on EHRs?
A new study from Microsoft has found that encrypted EHR data is particularly vulnerable to compromise. The researchers attacked real encrypted patient EHR data from 200 large and 200 small hospitals in four different ways and found "alarming" gaps. In some instances, the researchers could infiltrate 100 percent of the data. And the numbers are likely higher than the study indicates, since the researchers only reviewed attacks on the electronic database, but did not exploit leakage from the queries to the database. The study also didn't target the weakest encryption schemes in the system.
What's worse is that the researchers don't offer recommendations to stop such leakages or what entities can do to reduce the risks, which is often found in such studies. Instead, it concluded that encryption has "serious limitations" and warns that the systems they studied (CryptDB and Cipherbase) should not be used "in the context of EMRs."
This is troubling news, indeed.
I presume that others will conduct independent testing to corroborate or refute the findings. If they turn out to be accurate, then I hope that EHR and encryption developers will scurry to address these vulnerabilities.
But in the meantime, I hope organizations don't use this study as an excuse to dismiss the practice, throw up their hands and say "fuhgeddaboudit" when it comes to encryption.
For one, encryption may not be foolproof, as we had been led to believe, but it's still better protection than not encrypting data at all. At least when the data is encrypted, it makes it harder for a hacker to put the pieces together. Think of a burglar: a hacker is more likely to give up on a home with locked windows and an alarm system and go on to the next home that's less secure.
In addition, the law still says data encrypted pursuant to NIST specifications enjoys that do-not-report safe harbor should it be compromised. And the loss of encrypted EHR data is more defensible from a liability standpoint.
We know all too well that EHRs are vulnerable to cyberattack, user error and insider threats that compromise sensitive patient health information.