California AG: 'Still a long way to go' on healthcare encryption

Healthcare must do a better job of encrypting data, and not just on laptops and mobile devices, according to the annual California Data Breach Report from state Attorney General Kamala Harris.

In cyberattacks such as that against Anthem, once criminals breach the network, they find a treasure trove of unencrypted data.

The Anthem attack accounted for 10.4 million records of the 24 million records breached in the state during 2015, according to the report. Another attack on UCLA Health compromised 4.5 million records.

About 55 percent of compromised health records involved unencrypted data, as opposed to just 16 percent of breaches in other sectors, the report states. That's an improvement from 2014, when 70 percent of California healthcare breaches involved unencrypted data.

"The industry appears to be improving in its use of encryption to protect data on laptops and other portable devices, but there is still a long way to go in addressing this preventable type of breach," according to the report.

It recommends that healthcare organizations use multi-factor authentication for online consumer accounts and step up efforts to encrypt personal information on devices and computers.

In 2012, 68 percent of healthcare breaches were the result of stolen or lost equipment, compared with just 21 percent of breaches in other sectors, leading Harris to urge use of encryption on portable devices in previous reports. In 2015, lost or stolen equipment accounted for 39 percent of healthcare breaches and just 13 percent of breaches in other sectors.

California enacted a data breach notification law last October that set data encryption standards, as well as standards for defining personal information.

To learn more:
- here's the report