My last blog post predicted that 2013 will be the year of the healthcare data breach. I detailed that the majority of medical data breached was lost through portable media or laptop computers. Usually this means the theft or loss of a laptop, backup tape, or even a USB flash drive. It’s ironic that as paper health records give way to electronic records, the greatest threat to health privacy is the loss of physical media and devices.
Had any of these devices been encrypted, they would not have been counted in the tally of healthcare data breaches. That is because encrypted hard drives and devices are considered secure and their loss needn’t be reported.
So, why not encrypt?
Objectively speaking, encryption isn’t that hard. Modern laptops, whether Windows, Macs, or Linux, all have free / low cost encryption software available either as part of the operating system, or from any number of vendors. Most commercially available backup programs offer encryption as a feature at no extra cost. Even the Next Generation vectors of health data loss (aka tablets like the iPad and smartphones) have built in encryption features. Still, the majority of us don’t use encryption.
There are at least four reasons why a no-brainer like encryption isn’t in broad use today, which also gives a sense of what needs to be addressed to end this needless risk.
- It’s Scary: If you’re a lay person, the idea of having all the data on your hard drive scrambled in a way that you can’t read it if you forget a password is scary. If you’re an IT person, you may be intimidated by the idea that an operating system upgrade — or other random occurrence like a power drop — might render the encrypted drive or media unreadable.
- It’s Complicated: Would that the choice to encrypt your laptop were nothing more than clicking an application, choosing a drive, and then clicking “OK.” Unfortunately, instructions for encrypting your laptop offer a variety of cautions — back up first! — and choices such as encryption method. Encryption documentation is heavy on jargon that is at best unfamiliar to many, and at worst is intimidating. For the IT department, encryption meant managing encryption keys on an individual basis or buying software to provide enterprise management of encryption.
- It’s Hasn’t Been a Vendor Priority: A vendor that wants users to encrypt their information could make encryption the default. Absent that, they could make the process relatively easy. Finally, they might include the feature in the operating system, so that the user didn’t have to buy or download additional software. The majority of laptops run some version of Windows. In versions of Windows up through Windows 7, Microsoft’s Bitlocker encryption was only available on the most expensive and less frequently used Ultimate and Enterprise editions.
- Management Didn’t Make It a Priority: The requirements for healthcare providers to protect data — and the exemption from data breach reporting for encrypted devices — have been out there for several years. Free and reasonable cost encryption software has been readily available. Not withstanding items 1 through 3 above, ultimately the reason encryption isn’t rolled out is that it hasn’t been enough of a priority for management to insist upon it.
The picture is, slowly, getting better. With Windows 8, Microsoft is including Bitlocker encryption in the more common Professional version. With the iPad, encryption automatically is applied when a PIN is enabled on the device. Android, too, has enabled encryption for phones and tablets in the last year. These are steps in the right direction, and we can hope that where there’s a Way, perhaps there’ll be a Will to encrypt.
For those who have an older version of Windows — which is probably 90%+ at this point — third party encryption options are readily available. For the last three years I’ve had TrueCrypt — free, open source, full disk encryption — on my work laptop. It has been a trouble-free experience for me, through a variety of Microsoft updates and security patches. Other options, including a home version of Sophos’ commercial SafeGuard encryption, are also available and work well. If you travel with a laptop and would prefer not to have your financial records or other information stolen, it’s time to do something about encryption.