You don’t have to work in technology to know that hackers are getting more sophisticated. It seems like a new breach is in the news every week. But those of us who are dedicated to protecting healthcare data also spend a lot of time on something that’s just as demanding: complying with statutory and regulatory requirements, which are becoming increasingly severe.
Nearly every state in the U.S. has passed data breach laws, including costly breach notification requirements. These laws require that organizations not only notify the patients whose information was compromised, but sometimes state enforcement and credit agencies. HIPAA has its own Breach Notification law and some state privacy laws cover data breaches as well. Though not a healthcare organization, Wyndham Hotels was sued by the Federal Trade Commission for losing credit card data — another example of the many institutions invested in regulating IT security.
The compiled costs of just one breach are staggering. You’ve got the costs associated with issuing notifications, accelerated demand on customer service, credit monitoring, and any initiatives and incentives aimed at customer retention. Patients could flood the courts with class-action lawsuits, while your business partners might sue to recover the costs of their fines and breach-related costs.
Your investors could even take similar action over their stock losses. As a matter of fact, the recent Connecticut Supreme Court’s decision in the Byrne case could well set a precedent for class-action lawsuits in cases where PHI is lost.
This doesn’t even include your internal investigative costs. And, of course, regulating bodies could impose fines and penalties, including jail time. Since June 2013, the Office of Civil Rights (OCR) has levied fines exceeding $10 million over HIPAA violations. An attorney for the OCR has said they will be more aggressive in cracking down on compliance violations going forward.
The Benefits of Safe Harbor Status
Of course, you can avoid regulatory scrutiny and all associated costs if you don’t need to actually report a breach. Safe harbor clauses are designed to offer exactly that kind of relief — and that translates to using encryption.
If you’ll recall, previously we examined why encryption is considered the gold standard in protecting ePHI and looked at methods for encrypting data in transit and at rest. There’s no doubt that encryption is a fantastic security measure that can make it almost impossible to decipher data when attacked. It’s considered such a strong protection that it allows organizations to avoid characterizing a security incident as an actual data breach, as long as the lost data is encrypted and the encryption keys were not included in the loss.
OCR offers a safe harbor provision from the Breach Notification rule for encrypted data, as do 47 of the states with breach laws on the books. The exceptions are Indiana, Wyoming and Washington D.C., with South Dakota, Alabama and New Mexico the only states without such data breach laws.
For instance, consider the Community Health Service breach in August. While no clinical data was lost, personal data — such as social security numbers, names, addresses and phone numbers — were lost from 4.5 million patients. The final cost of the breach is expected to land between $75 million to $150 million. Yet CHS could have avoided all of that by simply encrypting their data.
Does Your Encryption Qualify?
When it comes to avoiding notification, you must evaluate several criteria in the incident of a breach. You must:
· Identify the data affected in the breach
· Decide if that data falls under the breach law
· Note whether the affected data was encrypted
· Research if that encryption meets the safe harbor clause definition; if it does, then notification is not required
Notice that final criteria. Not all encryption will get you off the hook from notification. To truly protect your ePHI and qualify for safe harbor status, you must employ strong, role-based encryption and excellent key management techniques. Remember, any compromise of an encryption key renders the encryption useless. It’s smart to review how your keys are generated, distributed and stored, with careful practices for rotating and replacing them.
Even with strong encryption in place, remember that you’ll still need other security controls. Preventing a breach is always preferable to suffering an incident, even if notification is not involved. Your organization must still conduct a risk assessment and develop a solid security plan specifically designed to prevent data breaches. This also should align with the implementation of a strong incident response plan.
Consider again the example of CHS; while it relied on open-source or free security systems before its breach, it will now be almost certainly spending millions to upgrade to more sophisticated systems. This is just one example of why it’s smart to invest in advanced security before an incident occurs.
Ultimately, the cost of recovering from a breach will always be more exorbitant than any expenses incurred in safeguarding data with the right expertise and technology. Encryption helps protect your data (helping you meet HIPAA regulations) while acting as an insurance policy in the event of an attack. In this era of frequent breaches and costly notification laws, it’s quite simply one of the easiest and smartest security solutions for any healthcare organization.