The Burden of Encryption or the Burden of a Breach?

July 10, 2014 by Nicholas R. Merker, Partner | L. Alan Whaley, Partner
The world of health care moves fast.  Hospitals, physicians and other providers must protect the confidentiality of health information in a highly regulated environment with constantly evolving technology. Learn how we can help through our guide, "A Breach, or Not a Breach? If That Is the Question, Encryption May Be the Answer." An excerpt follows:

The Burden of Encryption or the Burden of a Breach?

The single largest PHI breach in 2013 involved the theft of four desktop computers from an office; the computers contained more than four million patient records. The additional burden of encrypting that data almost certainly pales in comparison to the burden of notifying millions of patients, going through the investigation and monetary penalties that will probably result, and defending the class action lawsuit that has already been filed.

Another example: in late April 2014, HHS announced that it had settled a breach enforcement action involving one stolen laptop and over 850 patient records. HHS’s investigation included the finding that the health care provider had previously recognized that the information on its computers and other devices needed to be encrypted, and it had started to do that, but its efforts were “incomplete and inconsistent over time, leaving PHI vulnerable throughout the organization.” And obviously, the laptop that was stolen had not yet been encrypted. The amount of the settlement is eye-catching: $1.7 million. Other reports about this large settlement have surmised that its size may have been related to the fact that this laptop loss was not the health care provider’s first; another laptop had been stolen about two years earlier. Whatever the reason for the high settlement figure, it graphically illustrates the risk.
 
 
A Breach, or Not a Breach? If That Is the Question, Encryption May Be the Answer


View Full Site View Mobile Optimized