November 9, 2009
HITECH Act: The Next Logical Step in Protecting PHI
By Luther Martin
The HITECH Act doesn’t require the encryption of protected health information (PHI), but it’s probably the next step in that direction.
The HITECH Act has provisions that encourage but don’t require covered entities to encrypt PHI. The Interim Final Rule that implements part of the HITECH Act requires notification of the unauthorized use or disclosure of unencrypted PHI that “poses a significant risk of financial, reputational, or other harm” to an individual.
Some conspiracy theorists seem to believe that this wording was included to allow businesses to avoid the high costs of breach notifications by arguing that their analysis shows that their breach didn’t cause a significant risk of harm. A more reasonable explanation is that similar language dates back as far as the original Privacy Act of 1974 and is already included in the existing state breach notification laws.
But if the breach notification requirements of the HITECH Act aren’t there to let businesses freely violate our privacy while giving us the illusion of it being protected, why are they there?
The Trend Toward Requiring Encryption
The breach notification requirements of the HITECH Act are probably best understood as part of a trend that’s slowly but surely increasing the protection that sensitive data needs to have. This started with laws and regulations that required organizations to protect sensitive information, although the exact way in which they protect it is typically very flexible. It then moves to requiring the notification of breaches of unencrypted sensitive information. At this point, encryption still isn’t required, but there’s a strong incentive to use it to avoid expensive breach disclosures. The next step is to require organizations to encrypt sensitive information.
The HIPAA privacy rule was the first step in this process for PHI. It required healthcare organizations to protect PHI, although they could implement this protection in many ways. The HITECH Act is the next step, as it essentially requires the notification of unencrypted PHI breaches. In the future, we will probably see a federal law that actually requires the encryption of PHI; this has already happened in some states.
In 2008, Nevada law began requiring the encryption of state residents’ sensitive information when transmitted outside a business’ secure network. The Massachusetts encryption law did the same for that state’s residents a short while later. Legislators are now considering similar laws in other states, and similar data encryption laws will probably become widespread over the next several years. It’s now hard to avoid complying with these state laws, and it’s going to get even harder in the future.
How to comply with these laws in a reasonable way is still an unsolved problem. Legislators want businesses to protect sensitive information but not at a cost that’s too high to be practical for a business that needs to be profitable to survive.
Encryption is notoriously hard and expensive to use, but a combination of newer technologies and motivated IT departments is leading to solutions that are more practical than they were a few years ago. Technologies such as identity-based encryption, for example, are at least three times less expensive to own and operate than the aging public key infrastructure technology that dates back to the dot-com boom. That’s often enough of a difference to make encryption practical where it once wasn’t.
Once the states find what works and what doesn’t, it’s likely that the federal government will raise the bar and require the encryption of all PHI, a move that will probably be based on exactly the lessons that the states have learned. Let’s hope this happens soon.
There has been much media coverage of the recent data breaches that have exposed millions of credit card numbers to hackers. But while it’s relatively easy to cancel a compromised credit card and get a new one, it’s not really practical to cancel and get a new medical history. Once it’s compromised, it’s compromised forever. Because of this, PHI deserves to have strong protection, and encryption is the best tool for the job. The HITECH Act’s breach notification requirements only encourage encryption, but they’re a good step toward ensuring that PHI gets the protection it deserves.
— Luther Martin is chief security architect at Palo Alto, Calif.-based Voltage Security, Inc.