Senate to review HIPAA security of medical records in light of Anthem breach
Policy makers are investigating whether federal privacy and security laws should require encryption of patient records
A monumental data breach at one of the nation’s largest insurance providers has spurred a bipartisan effort to reexamine the Health Insurance Portability and Accountability Act (HIPAA), possibly adding a costly and cumbersome requirement to encrypt health records (EHRs).
The Senate Health, Education, Labor and Pensions committee announced February 6 that it is planning a new bipartisan initiative to examine the security of all health information technology and the healthcare industry’s preparedness against cyber attacks.
“Patients, hospitals, insurers—all Americans who value the safety and privacy of their sensitive personal information—have a right to be alarmed by reports that their electronic records might be vulnerable to a cyber attack,” says committee chairman Lamar Alexander (R-Tenn.).
The committee will examine EHRs, hospital records, network-connected medical devices and more in regard to the security of their health information technology.
The initiative comes in the wake of a security breach at Anthem—the nation’s second-largest insurer—that affects up to 80 million people. The breach is the largest HIPAA violation in history and involved the alleged theft of security credentials from a system administrator to access Anthem’s client database. While the company encrypts data it exports, the data was stolen at the company level and was unencrypted. But even if it had been encrypted, the systems administrator credentials that were stolen could have been used to access encrypted client data.
Data stolen during the break include names, dates of birth, member ID/Social Security numbers, addresses, phone numbers, email addresses and employment information. Anthem says no diagnosis, treatment, or financial data was accessed during the breach.
Encryption isn’t currently required under HIPAA, nor under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, although HITECH does offer incentives for encryption. Encrypting data is costly and does not guarantee that records cannot be penetrated by cyber attacks. Regardless, some industry watchdogs and health IT experts are calling on healthcare systems to take a more serious look at encryption as a preemptive measure against future cyber attacks.
The Office of Civil Rights (OCR) under the U.S. Department of Health and Human Services—which is investigating the Anthem breach—reports that roughly 60% of healthcare data breaches since 2009 could have been prevented through encryption. And a 2014 report by Forrester Research estimates that only 59% of healthcare organizations have implemented any type of data encryption.