Is Encryption Affecting the Decision Making of Healthcare CIOs? …Should It Be?
“An obvious thing out there is security. Hackers, ransomware – and you want to be secure enough, but not so secure that you affect the business.”– VP of IT at NJ hospital system
Peak 10’s 2nd National IT Trends in Healthcare Study has shown that patient privacy and information security are top-priority for healthcare technology leaders. Healthcare executives are being cautious, and more security measures are being implemented. Most healthcare organizations surveyed graded their own security program a B- or worse, while many pointed out that ransomware is now a prominent risk concern. In the matter of security, healthcare organizations are undoubtedly trying to fight the challenge of being proactive versus reactive, while balancing actual needs versus available resources.
“Cybersecurity risk is tremendous; we’re being targeted significantly. Ransomware hits even in the last week.” – CIO at NE hospital
Telemedicine and patient portals represent a great advancement in healthcare technology and patient care, but they create another challenge: more data and more endpoints equate to more vulnerabilities. The Peak 10 study confirmed that telemedicine has been adopted by nearly half of healthcare organizations, while another third are planning an implementation with the expectation of realizing improved patient satisfaction and increased competitive advantage. Both are valuable changes to make, but neither comes without risk.
Making patient information available to both doctors and patients around-the-clock is now the expectation, as is the need to make portals secure. Plus, patient data is 10X more valuable to hackers than financial information because it cannot be changed like a password or login info can and it can be used for insurance fraud (which is a multi-billion dollar industry). Such vulnerabilities put healthcare organizations at risk of having to pay fines to regulators and deal with potentially irreparable PR nightmares in an industry that is driven by patient satisfaction. Here’s where encryption comes into play.
Reassuringly, 57% of healthcare organizations are using encryption from a third-party, but that leaves over 40% who either haven’t adopted encryption yet or are trying to tackle encryption themselves. Some healthcare IT departments have the resources to manage encryption, but many struggles to execute it effectively while keeping up with the other constant demands of technology.
In a later Peak 10 study focused solely on encryption, it was determined that over 75% of businesses overall are only encrypting roughly 17% of their data. Now, this number covers organizations of all verticals, but nonetheless, it begs the question: how much healthcare data is exposed in cyberspace, unprotected?
Fighting hackers and defending against those in the dark corners of the Internet is a ceaseless battle. However, particularly in the healthcare space, adopting encryption of protected health information (PHI) as a critical component to your security program is key to safeguarding patient information, staying in compliance and keeping up with risks.
There are quite a few benefits to implementing encryption, whether across all systems or solely for PHI. Encryption is a powerful defense for any kind of breach and helps relieve your organization of multiple challenges from both compliance and security perspectives. Plus, it’s simple, despite the misconception that implementing strong encryption is complex and expensive.
Encryption in the Real World: Dispelling Common Myths
There are a few prevalent misconceptions surrounding encryption that need to be debunked, particularly in the healthcare space (where the cost of increased vulnerabilities is far too great to risk).
MYTH #1: Encryption will cause performance issues.
False. Encryption actually causes little to no performance issues, which was proven by a recent study carried out by Peak 10’s partner, Vormetric is an industry leader in data security solutions that span physical, virtual and cloud environments. Transparent file encryption technologies have less than a 2% impact on performance, which is sub marginal; it also applies policies automatically and works transparently, thus without affecting the way the user interacts with the system. Encryption is a necessary security tool, and it won’t slow you down.
MYTH #2: We’ll lose control of our data if we don’t figure out a way to secure it in-house.
False. The reality is that when done correctly, encryption makes PHI secure, you’ll have transparency into the process, and full control over your valuable information. Not encrypting, on the other hand, is pretty much a surefire way to lose control of your data.
MYTH #3: Encryption will be complicated to implement and manage.
Also not true. Encryption is deceptive; it implies a complex, cryptic procedure. The process behind it is fairly complex in nature, but the basis is simple. Identifying which data your organization needs to encrypt and carrying out a smooth implementation is not necessarily painful projects, especially when partnering with a reputable third-party. If you’re confident you can handle encryption internally, it may be worth working with an Encryption as a Service provider regardless, if only to perform a needs assessment and plan go-forward steps.
Understand the facts of encryption. It has its benefits, and it won’t cause delays in a healthcare IT department. On the contrary, it will give your security team more time to focus on the critical. Encryption is secure, transparent, and you have full control. Don’t let the fear of performance issues or complexity stop you from protecting important information; in many cases, you can’t easily recover from the consequences.
The Powerless Hacker
The purpose of encryption is to render data unreadable. In all likelihood, hackers will get hold of your data, which can result in having to report a breach, paying fines and responding to potentially irreparable damage to trust and reputation.
Encryption takes the power away from the hacker. It doesn’t stop the hack from happening, but it removes the value of the information the hacker is looking for. A malicious actor can try to get into your network, but as long as the data in question is encrypted, large amounts of nonsensical information will give them no reason to continue the breach—unfortunately for your hacker, there’s no threat to your business, in this case.
Enabling Healthcare IT Leaders to Meet Compliance
So, if your healthcare organization’s PHI is encrypted, potential threats are lessened significantly. This is how encryption enables healthcare IT decision makers to meet compliance requirements. A component of HIPAA is being able to demonstrate that your business is maintaining a strong security program and implementing a satisfactory baseline for preventing successful breaches of unsecured PHI; encryption gives your security team more ammo to make that happen.
It is important to note that HIPAA compliance mandates stipulate securing data as a necessity, but do not necessarily outline a standard methodology for execution in detail. Practicing encryption will give your organization immunity from having to report breaches if PHI is stolen, but it doesn’t necessarily mean your security program is strong.
Take the time to understand exactly how the HIPAA Security Rule applies to your healthcare organization, and create a roadmap for going above and beyond the minimum requirements for compliance in order to stay secure and effectively prevent breaches.
A viable option for healthcare businesses is evaluating service providers who have verifiable compliance expertise and can work with you to achieve HIPAA compliance on an ongoing basis.
There’s More Than One Way to Encrypt—Choose What’s Right For You
There are different levels of encryption, and different ways to execute it. Ultimately, your IT team has to choose the right way for you.
- Full disk encryption (self-encrypting drive)—laptops, small computing devices.
- File-level encryption—devices that require data security while in operation and offline.
- Transparent data encryption—allows for policy-based encryption.
- Individual app encryption or tokenization—application usage.
Encryption also enables IT to outsource more easily to third-party providers and take advantage of the efficiencies that come with cloud computing. There are multiple business advantages that can be gained by encrypting besides solely securing data (although that’s the most important).
Protecting Healthcare Data, All in All
Here’s the point—healthcare and encryption go hand-in-hand. Hospitals are full of PHI, and HIPAA regulations aren’t going anywhere. This is what you really need to know:
- If your healthcare organization is not encrypting, it should be.
- Encryption will not cause performance issues, cause you to lose control of your data or turn into an infinite, difficult project.
- Encrypting PHI takes the power away from hackers, who will always be lurking around the virtual corner.
- HIPAA compliance gets a little easier when you encrypt.
Deeper Insight Into Healthcare IT
The Peak 10 2nd National IT Trends in Healthcare Study produced a lot of insight into the future of healthcare IT professionals, as well as the decisions they’re facing today.
Check out the Peak 10 Industry Spotlight: Healthcare IT website.