As more details about the Anthem data breach come to light, we have learned that the stolen records were not encrypted. Encryption adds another layer of protection to stored data. HIPAA is an old law that must be made current with modern information security standards; it must require encryption of stored data (aka data at rest).
by Cameron Tinsler on February 7th, 2015, 7:03 pm PST. This Ivia has been viewed 5,640 times.
Anthem and other health insurance companies store tremendous amounts of data about their customers--people like you and me. From the day a person obtains coverage, the insurer will know about every office visit, medical test, screening, prescription, procedure, hospitalization, etc. They will also, of course, have the full name, contact information, date of birth, social security number and employer information, for the policy holder and similar information for any dependents.
Consider it for a moment. It is a lot of information about a person. In Anthem's case, it is a lot of information about 80 million people, nearly 25% of all Americans.
Data encryption, the practice of scrambling data so it is essentially impossible to read without a special key, helps protect data from hackers. Say a database of health records is stored encrypted on a computer disk. A hacker could obtain control of that computer, but not be able to access that database.
Does encryption have drawbacks? Well, reading from and writing to an encrypted disk may take a bit longer. It may require spending a bit more. But as the wise man says, security trumps convenience. We've seen what happens when corporate security is weak (looking at you, Target, Sony, Home Depot and the like).
You may wonder whether data Anthem lost is protected health information. It is. You may wonder why it was not encrypted. In the end, it's because neither the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) nor the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed in 2009, specifically require it.
This has to change. Data of such a sensitive nature must be encrypted at rest. The laws must be updated to require data encryption, and the penalties for non-compliance must be stiff.