Why does healthcare resist encryption?
The most basic security truth in 2014 is that encryption done properly -- a high enough level of encryption, proper safeguarding of the encryption key -- is the best thing an IT department can do.
[See also: Where will HIT security be in 3 years?.]
Sill, many industries resist encryption -- and healthcare is arguably the most strident.
Why? Although the answer changes with the healthcare expert speaking, much of the resistance is based on fear of change. That's not the FDR "fear itself" concern, but fear of what encryption could inadvertently due to sensitive integrated healthcare systems.
"Information and data in the healthcare industry is shared horizontally, across several organizations, positions and interested parties, much more so than any other in other industry," said Elad Yoran, chief executive officer of cloud encryption company Vaultive. "With this, there is constant pressure to make data more readily accessible.
"Many healthcare leaders believe that encrypting data increases the time to retrieve and review information which ultimately decreases efficiency," he added. "Although this isn't the case anymore, it's certainly a concern organizations still have."
Others see the fear as less industry-wide and more provider-based, although the result is the same.
"Healthcare organization executives themselves are not resisting encryption, but when it gets to the doctor and nurse level, there is a more heated battle," said Lysa Myers, a security researcher at software vendor ESET. "The docs and nurses are concerned about usability of systems and use workarounds. In healthcare, one second could cost a life. Is that an excuse for loose security? No."
Then there are the licensing fears and concerns about what impact encryption could have on medical products. Jason Fredrickson, a senior director at Guidance Software, tried to explain how such a fear – even if it's not fact-based – spreads through medical officers.
"Consider a piece of equipment monitoring a patient's vital signs in the ICU," he said. "The equipment is designed to work with a specific hardware/software configuration. There is no room for mixing and matching hardware and software with such a vital piece of equipment. And the vendors guarantee the equipment will operate as promised, as long as the hardware/software is operated as designed.
"Failure could result in death," said Fredrickson. "So when the IT security team suggests introducing a security software such as anti-virus or encryption, those responsible for using the equipment will protest."
"First, the equipment is not able to accept the software without potentially compromising the operations of the equipment. Second, if the equipment is altered, the vendor's attorneys will void the guarantee. The hospital then becomes liable for any death caused by the machine's lack of performance. And hospitals are generally known to up to their eyelashes in lawsuits. Third, the first priority of this equipment is to save lives. Anything that interferes with that basic premise is unacceptable."
Properly done encryption should not interfere with medical systems, but unless software contracts explicitly say that it's permissible, lawsuit-worried medical executives will back off.
"Installing any security measures on machines that may slow performance or cause instability is considered by these conservative users to be far more risky for the patients they are tending than the ramifications of a security breach," Fredrickson said. "Encryption, by its very nature, impacts performance and is therefore a very tough sell."
Then there is the nature of equipment—and equipment operating systems—in a medical environment, said Clearwater Compliance CEO Bob Chaput.
"In a clinical environment, the number of operating systems requiring encryption is far greater than you find in other industries," he said. "It isn't just a matter of encrypting servers, laptops and mobile devices. You also have to consider encrypting diagnostic devices (e.g. EKG, EEG, MRI, etc) and laboratory equipment (e.g. hematology analyzer).
"Many of these devices have their own unique challenges," he added. "And this is just the tip of the iceberg for consideration of every healthcare system requiring protection. When comes down to actual implementation, it is a costly endeavor to inventory and encrypt all of these points of risk. Healthcare is struggling to keep costs down. It's not as simple for a hospital to encrypt as it is for the bank down the street, but it still has to be done."
What more IT perceived encryption-fueled complexity? Michelle Blackmer, the healthcare industry marketing director for Informatica, points out that HIPAA fails to require medical records to be encrypted. Even worse, the people with the skills needed to deliver encryption and tokenization are in short supply and they are expensive.
"There is a lack of clarity in regulatory requirements, data is routinely stored in fields that may not be the intended field and there is a high cost associated with customizing applications to include encryption and tokenization.
To this last point, encryption is a good technique when you only have to protect one or two fields that are very rarely accessed, but healthcare is unique in that sensitive data spans several fields and tables," Blackmer said.
"Using encryption is not practical in that it can introduce significant performance issues as well as maintenance issues. To be successful, health IT professionals need to look at alternative approaches that include tracking, identifying and securing patient data as it proliferates between applications like EPR, EHR and analytics as well as across an increasingly expansive ecosystem."