Wednesday, November 9, 2011

Encryption and Electronic Health Records

Your Health and Your Privacy: Protecting Health Information in a Digital World

The Subcommittee on Privacy, Technology and the Law of the Senate Committee on the Judiciary held a hearing entitled “Your Health and Your Privacy: Protecting Health Information in a Digital World” on Wednesday, November 9, 2011. Deven McGraw, Director of the Health Privacy Project at the Center for Democracy and Technology presented testimony (video below). "We know from the statistics on breaches that have occurred since the notification provisions went into effect in 2009 that the healthcare industry appears to be rarely encrypting data," she said. "The wild, wild west for data is not an environment of trust," she added.

Senator Tom Coburn, R-Okla., the subcommittee's ranking member who is also a physician, questioned whether switching to electronic records was worth the riskes. He raised concerns about hackers finding a way to take sensitive records. "They gotta get into my office to get it when it's on a piece of paper," said Senator Coburn. "Maybe we ought to rethink some of what we're doing," he said.

Senator Franken, D-Minn., chairperson of the subcommittee asked Leon Rodriguez, director of the Office for Civil Rights at HHS, when the enforcement rules would be finalized. She could not give a timetable, so Senator Franken told her "OK, well hurry up." After the hearing Senator Franken said, "The bottom line is that people have a right to privacy and to know that their data is safe and secure, and right now that right is not a reality."

These concerns were also discussed in the PCAST Report "A well-designed combination of encryption, authentication [and] authorization…can yield a health IT infrastructure that is secure and where all principals are auditable," the report stated. Earlier this year a survey of more than 500 auditors by the Ponemon Institute, "What auditors think of crypto technologies," found encryption the top choice over data tokenization or other cryptographic techniques. There is little doubt that encryption is a piece of the security puzzle; however, it is not the total answer.