6 Reasons Organizations Fail to Encrypt ePHI
The drumbeat of HIPAA breaches in the media is incessant, and the refrain is the same: yet another PC containing electronic protected health information is stolen, so the organization is compelled to notify patients, Health and Human Services, and the media. The Office of Civil Rights swoops in, levies a 7 figure fine, and posts the offender on the HHS “Wall of Shame”, resulting in a damaged reputation and loss of future earnings.
Ironically, had the PC’s hard-drive been encrypted, the loss would have been a non-event, unreportable given the Safe Harbor provisions of HIPAA. And inexpensive encryption technology has been readily available for years. Yet, 538 or 46% of the 1,171 Breach Notifications posted on the Wall of Shame stem from the simple loss of a computer with an unencrypted hard-drive.
So, if it is so obvious how to correct the deficiency that single-handedly accounts for the most frequent HIPAA Breach Notifications, why don’t more organizations properly encrypt and protect the ePHI entrusted to them? Here are the six most common reasons we discover during our risk assessments:
Denial and Procrastination – in spite of the fact that 538 Breach Notifications across the nation stem from the loss of a computer, some organizations simply assume the risk of loss is too small to justify the cost and effort to encrypt them. They may not understand that encryption can provide Safe Harbor from Breach Notification. Or they are so overwhelmed with all of the various requirements that they don’t realize there is effective action they can take to mitigate risk of non-compliance.
Other healthcare organizations have understood for years the need to encrypt ePHI, and intend to do so; however, for various reasons, many have not gotten around to taking the first step to doing it.
Premature Attestation – Sometimes an organization will confidently assert, “we are encrypting ePHI”, when it really would be more accurate to say, “one of our staff is contemplating about how we might encrypt ePHI at some unspecified date in the future”. Those who accept assurances of encryption without inspecting evidence in the form of current compliance reports can be in for a rude awakening, in the form of Willful Neglect sanctions in the event of a Breach. So, while it can be tempting to ignore this problem, doing so will make the situation worse.
Technical Complexity and Risk – the concept of hard-drive encryption is easy to understand, but challenging to implement. The devil is in the details — hard-drive encryption is more invasive to install than a typical software application, involving an irreversible rewrite of the entire drive. Production workstations are often not backed up, so an encryption failure results in unrecoverable data loss. Often, there is no accurate inventory of PC’s and laptops, much less a centralized means for managing and deploying software to them. The encryption software may conflict with the operating systems and applications running on the systems. Systems are typically not standardized so a successful test of one system does not guarantee the other systems will be successful. Some may be unstable or infected with malware, and so on. So the initial deployment is challenging; however, a good plan and an experienced team will make this process easier.
Incomplete and Failed Deployments — some have attempted to implement hard-drive encryption, only to have encountered technical obstacles that stalled the deployments. Or they simply do not have an accurate inventory of assets to be encrypted. Finally, they may have encrypted their workstation hard-drives in the past, but do not have processes to keep the encryption current, so as encryption fails and workstations are replaced, unprotected ePHI proliferates. Strong processes and the right team are essential to achieving success.
Lack of On-Going Management -Like all components of an IT system, hard-drive encryption is not a “set it and forget it” program. The encryption needs to be monitored and maintained on an on-going basis. As workstations fail and are replaced, they must be encrypted before they are placed in production. And there is an on-going compliance reporting task — in order to receive Safe Harbor protection from Breach Notification, the organization must be able to demonstrate that a missing asset was encrypted at the time of loss. Many organizations do not have the internal resources and processes in place to perform the on-going management tasks. Managing and maintaining encryption will avoid disappointment and set-backs later.
IT Resistance— The running joke is that IT people fall into two camps — those who hate encryption, and those with no encryption experience. Because hard-drive encryption adds a layer of complexity, risk, and effort to the on-going management of PC’s and laptop computers, resource-constrained IT organizations are reluctant to deploy and support hard-drive encryption. This reluctance leads to Denial, Procrastination and Premature Attestation. With the right people in place, drive encryption is easy to deploy and manage.
Which of these 6 reasons have you heard within your own organizations or clients? Are there other reasons beyond these 6?
Next — Best Practices for Protecting ePHI through Hard-drive Encryption
Smoke testing is a term used to describe the testing process for servers after patches are applied. 
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.