Lack of encryption standards raises health data privacy questions

The office building of health insurer Anthem is seen in Los Angeles, California February 5, 2015. This week, a data breach at Anthem compromised the data of 80 million people, prompting calls for cybersecurity standards for health care companies. Photo by Gus Ruelas/Reuters

WASHINGTON Insurers arent required to encrypt consumers data under a 1990s federal law that remains the foundation for health care privacy in the Internet age an omission that seems striking in light of the major cyberattack against Anthem.

Encryption uses mathematical formulas to scramble data, converting sensitive details coveted by intruders into gibberish. Anthem, the second-largest U.S. health insurer, has said the data stolen from a company database that stored information on 80 million people was not encrypted.

The main federal health privacy law the Health Insurance Portability and Accountability Act, or HIPAA encourages encryption, but doesnt require it.

The lack of a clear encryption standard undermines public confidence, some experts say, even as the government plows ahead to spread the use of computerized medical records and promote electronic information sharing among hospitals, doctors and insurers.

We need a whole new look at HIPAA, said David Kibbe, CEO of DirectTrust, a nonprofit working to create a national framework for secure electronic exchange of personal health information.

Any identifying information relevant to a patient should be encrypted, said Kibbe. It should make no difference, he says, whether that information is being transmitted on the Internet or sitting in a company database, as was the case with Anthem.

Late Friday, the Senate Health, Education, Labor and Pensions committee said its planning to examine encryption requirements as part of a bipartisan review of health information security. We will consider whether there are ways to strengthen current protections, said Jim Jeffries, spokesman for chairman Lamar Alexander, R-Tenn.

The agency charged with enforcing the privacy rules is a small unit of the federal Health and Human Services Department, called the Office for Civil Rights.

The office said in a statement Friday that it has yet to receive formal notification of the hack from Anthem, but nonetheless is treating the case as a privacy law matter. Although Anthem alerted mainline law enforcement agencies, the law allows 60 days for notifying HHS.

Go here to read the rest:
Lack of encryption standards raises health data privacy questions