Dive Brief:
- Anthem's statement that their data was not encrypted when it was accessed in a historic hack last week has sparked debate about the fact that insurers are not required to encrypt consumers' data, per federal law from the 1990s that some would say is dangerously out of date. Although HIPPA encourages encryption, it does not require it.
- This lack of security leaves consumers vulnerable and lacking confidence just as other government policy works to promote electronic medical records and information sharing among healthcare organizations.
- The Senate Health, Education, Labor and Pensions committee said on Friday that it will consider an encryption standard as part of a bipartisan review on healthcare data security. "We will consider whether there are ways to strengthen current protections," Jim Jeffries, spokesman for chairman Lamar Alexander, R-Tenn., told the AP.
Dive Insight:
Encryption has been considered controversial in the healthcare industry, given the added costs and added effort involved in managing daily operations with encrypted data. Some argue that encryption is easily defeated anyway, and that it isn't worth the hassle for data that is simply being stored as opposed to data being transmitted, as in Anthem's case. However, 80 million Anthem customers would likely disagree.
The government has tried going the voluntary route with the 2009 HITECH Act, which required public disclosure of any healthcare data breach that impacts 500 or more people, and created an exemption for companies using encryption. However, if encryption is to become an industry standard, it appears it will have to be made mandatory first.