Evaluate Your Risk
Evaluate your risk
During 2008 and 2009, there were numerous and widespread data breaches of patients' protected health information (PHI)-with the largest security breaches resulting from both internal and external attacks on database and file servers. This means that companies need to ensure that their encryption strategy protects information resting in the data center and distributed environments.
Prior to the HITECH Act, only California and Arkansas included patient health data in data breach requirements, but the results of their laws demand attention. For example, California reported 800 PHI breaches in the first five months after the requirement. This is a strong indicator of heavy risks to patient data. It's also a strong indicator that there's a high probability that organizations will experience a breach and have to notify if they do not encrypt.
The cost of data breach disclosure extends beyond notification to include lost customers, class action lawsuits and brand damage. Companies need to consider these costs combined with the risk when determining the investment that should be placed in encryption.
Re-evaluate your stance on encryption
When HIPAA was enacted in 2003 after years of debate, data encryption was an "addressable" requirement. Addressable HIPAA requirements gave companies leeway to decide if they should meet the requirement, make a determination, document the determination and implement the decision. Most organizations chose not to encrypt since HIPAA was not heavily regulated and encryption seemed unmanageable in 2003.
But today, organizations should immediately implement projects to revisit encryption because of the technical advancements, the demonstrated risk of public data breaches, and the impending HITECH Act compliance requirements.
Gretchen Hellman is Vice President of Security Solutions at Vormetric. Gretchen has broad experience in helping companies of all industries meet their security management and regulatory compliance objectives. After gaining direct experience as a consultant specializing in security management and regulatory compliance, Gretchen worked with technology vendors and their customers to deliver practical solutions for the complex security and compliance problems facing the enterprise. She can be reached at firstname.lastname@example.org.