The ultimate breach insurance policy: encryption
March 26, 2015 in Medical Technology
You don’t have to work in technology to know that hackers are getting more sophisticated. It seems like a new breach is in the news every week. But those of us who are dedicated to protecting healthcare data also spend a lot of time on something that’s just as demanding: complying with statutory and regulatory requirements, which are becoming increasingly severe.
Nearly every state in the U.S. has passed data breach laws, including costly breach notification requirements. These laws require that organizations not only notify the patients whose information was compromised, but sometimes state enforcement and credit agencies. HIPAA has its own Breach Notification law and some state privacy laws cover data breaches as well. Though not a healthcare organization, Wyndham Hotels was sued by the Federal Trade Commission for losing credit card data — another example of the many institutions invested in regulating IT security.
The compiled costs of just one breach are staggering. You’ve got the costs associated with issuing notifications, accelerated demand on customer service, credit monitoring, and any initiatives and incentives aimed at customer retention. Patients could flood the courts with class-action lawsuits, while your business partners might sue to recover the costs of their fines and breach-related costs.
Your investors could even take similar action over their stock losses. As a matter of fact, the recent Connecticut Supreme Court’s decision in the Byrne case could well set a precedent for class-action lawsuits in cases where PHI is lost.
This doesn’t even include your internal investigative costs. And, of course, regulating bodies could impose fines and penalties, including jail time. Since June 2013, the Office of Civil Rights (OCR) has levied fines exceeding $10 million over HIPAA violations. An attorney for the OCR has said they will be more aggressive in cracking down on compliance violations going forward.
The Benefits of Safe Harbor Status
Of course, you can avoid regulatory scrutiny and all associated costs if you don’t need to actually report a breach. Safe harbor clauses are designed to offer exactly that kind of relief — and that translates to using encryption.
If you’ll recall, previously we examined why encryption is considered the gold standard in protecting ePHI and looked at methods for encrypting data in transit and at rest. There’s no doubt that encryption is a fantastic security measure that can make it almost impossible to decipher data when attacked. It’s considered such a strong protection that it allows organizations to avoid characterizing a security incident as an actual data breach, as long as the lost data is encrypted and the encryption keys were not included in the loss.
OCR offers a safe harbor provision from the Breach Notification rule for encrypted data, as do 47 of the states with breach laws on the books. The exceptions are Indiana, Wyoming and Washington D.C., with South Dakota, Alabama and New Mexico the only states without such data breach laws.