When Encryption Isn’t Enough

July 3, 2015

General

There are rare occasions in the health care industry when the encryption of protected patient health information isn’t enough to maintain its security. While these instances are thankfully few and far between, there are times when just encrypting the data isn’t enough to protect patient information. These times can be nightmares for healthcare entities, but if they are informed about when encryption might not be enough, they will be better prepared to handle breaches if they occur.

Encryption can be an excellent tool for guarding patient information, but there are times that it is not enough. Those include when a data thief finds or gains the password to a protected device or network. This can happen in a variety of ways, including hacking, but the end is the same- a security breach. Employees leaving notes of their passwords in easily accessible areas can even cause this. At times, stolen devices that are already signed in to a network have been causes of HIPAA breaches. These breaches have happened less often, but they are still possible. In other cases, formerly authorized employees are unauthorized but still have access to the network.

In all of these cases, if companies take the steps to have a disaster plan and breach plans already in place, such breaches will be easier dealt with. In some cases the breaches can be avoided completely. By increasing the level of security on devices, maintaining up-to-date access lists for the networks and more, companies can greatly improve their security. There are times when encryption isn’t enough, but with a little pre-planning any covered entity can be ready to deal with any emergency that may arise.