In light of the cyberattack against Anthem, federal officials plan to review whether HIPAA should require encryption, according tothe Associated Press.
The Senate Health, Education, Labor and Pensions committee on Friday said it will take up the matter as part of a bipartisan review of health information security.
"We need a whole new look at HIPAA," David Kibbe, CEO of DirectTrust, a nonprofit working to create a national framework for secure electronic exchange of personal health information, told the AP.
Information on up to 80 million consumers--including names, birth dates, addresses, email addresses, employment information and Social Security/member identification numbers--were compromised in the attack on Anthem. That information reportedly was not encrypted.
However, Anthem spokeswoman Kristin Binns told the AP that the hacker also had a system administrator's ID and password, which would have made encryption a moot point. Binns said the company normally encrypts data that it exports.
Some security experts, however, say a stolen credential by itself shouldn't be a key to the whole data kingdom, and that information should be encrypted wherever it resides, whether in transit; sitting in a database, as Anthem's was; or on a mobile device.
When the HITECH Act promoting computerized medical records was passed in 2009, it seemed to be a reasonable balance, creating incentives for encryption without imposing a one-size-fits-all solution, Indiana University law professor Nicolas Terry told the AP. Now he's concerned that events may have shown the compromise is unworkable.
Only slightly more than half of healthcare employees (59 percent) use full-disk encryption or file-level encryption on computing devices at work, a Forrester research report published last September found.
Mac McMillan, current chair of the HIMSS Privacy and Security Policy Task Force, however, has said he doesn't see much happening before the next presidential election.