Lawmakers to rethink requiring encryption in HIPAA


In light of the cyberattack against Anthem, federal officials plan to review whether HIPAA should require encryption, according to the Associated Press.

The Senate Health, Education, Labor and Pensions committee on Friday said it will take up the matter as part of a bipartisan review of health information security.

"We need a whole new look at HIPAA," David Kibbe, CEO of DirectTrust, a nonprofit working to create a national framework for secure electronic exchange of personal health information, told the AP.

Information on up to 80 million consumers--including names, birth dates, addresses, email addresses, employment information and Social Security/member identification numbers--were compromised in the attack on Anthem. That information reportedly was not encrypted.

However, Anthem spokeswoman Kristin Binns told the AP that the hacker also had a system administrator's ID and password, which would have made encryption a moot point. Binns said the company normally encrypts data that it exports.

Some security experts, however, say a stolen credential by itself shouldn't be a key to the whole data kingdom, and that information should be encrypted wherever it resides, whether in transit; sitting in a database, as Anthem's was; or on a mobile device.

When the HITECH Act promoting computerized medical records was passed in 2009, it seemed to be a reasonable balance, creating incentives for encryption without imposing a one-size-fits-all solution, Indiana University law professor Nicolas Terry told the AP. Now he's concerned that events may have shown the compromise is unworkable.

Only slightly more than half of healthcare employees (59 percent) use full-disk encryption or file-level encryption on computing devices at work, a Forrester research report published last September found.

There have been various calls to review HIPAA based on the security and privacy risks for consumers posed by the Internet of Things and for research, among other reasons.

Mac McMillan, current chair of the HIMSS Privacy and Security Policy Task Force, however, has said he doesn't see much happening before the next presidential election.

To learn more:
- read the AP article

Related Articles:
Anthem hack compromises info for 80 million customers
Details emerge in Anthem hack
CHIME chairman calls for mixed approach to security
CIO Chuck Podesta: 'No excuse for not encrypting' data
FTC report on IoT calls for update to HIPAA standards
Feds to clarify HIPAA for mobile health developers
Doug Fridsma: Why amending HIPAA makes sense for research