The hack of Anthem, the second largest health insurer in the United States, cast a huge spotlight on the protection of electronic medical records. Announced in February 2015, the breach compromised 78.8 million user accounts, all of which were stored unencrypted.
To put that number into perspective, the largest breach of 2014 (which, like Anthem, is widely believed to be the work of security researchers sponsored by the Chinese government) was that of Community Health Systems in Tennessee, an incident in which “only” 4.5 million patients were affected.
Although experts and consumers are concerned that health data should always be encrypted, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) does not explicitly require encryption. That is the topic of an article by Elizabeth Snell for HealthIT Security: “Should HIPAA Regulations Require Data Encryption?”
Snell argues that while insurers and other healthcare entities do not legally have to encrypt, “this does not mean that facilities can simply ignore this particular security measure because they find it time consuming or costly.” She details how legislators around the United States are working to pass measures so that encryption is no longer optional.
We explored the topic of HIPAA compliance in the first episode of our Google Hangout on Air (HOA) series (see the video above). The HOA featured Internet entrepreneur and development technologist Gabriel C. Murphy, who has cofounded four Internet companies and been a thought leader in the hosting industry since 1997.