Following the theft of 80 million customers' data of Anthem insurance – the second largest health insurer in the United States, federal lawmakers and privacy advocates are already calling for the updating of the Health Insurance Portability and Accountability Act (HIPAA), which requires that customers' data within a company database be encrypted to prevent hacking.
Encryption protects data by scrambling it using mathematical formulas, and it becomes meaningless to anyone that gets it without proper and well-regulated authorizations. The data of the 80 million people stolen from Anthen was never encrypted, and although they were not transmitted over the internet which could have enforced some organizations to encrypt them for increased safety, they were seated within the company's database.
The CEO of DirecTrust – a nonprofit advocacy group, David Kibbe, among other privacy advocates calls for updating the requirements of HIPAA which would require that whether transmitted online or located within a database – the detailed data of customers must be encrypted for enhanced protection.
"We need a whole new look at HIPAA," said Kibbe. "Any identifying information relevant to a patient…should be encrypted."
The Senate Health, Education, Labor and Pensions committee among other federal lawmakers are already looking into encryption requirements as part of a health information security review.
"We will consider whether there are ways to strengthen current protections," said Jim Jeffries, spokesman for chairman Lamar Alexander, R-Tenn.
Federal laws encourages data encryption, but it does not actually mandate it. Passed in the 1990s before the internet became commonplace, HIPAA never enforced data encryption – but this would actually have prevented the hacking that occurred to the 80 million Anthem customers. This omission appears to be what data hackers are targeting to get at personal details of millions of people by the day.
However, a statement from the privacy office said the kind of personal data stolen by the Anthem hackers is covered by HIPAA, even if it does not include medical information.
"The personally identifiable information health plans maintain on enrollees and members – including names and Social Security numbers – is protected under HIPAA, even if no specific diagnostic or treatment information is disclosed," the statement said.
And Indiana University law professor Nicolas Terry, noted that "In today's environment, we should expect all health care providers to encrypt their data from end to end," said Terry, who specializes in health information technology.
No comments:
Post a Comment