The Healthcare Information and Management Systems Society (HIMSS) recently released a report analyzing Department of Health and Human Services (HHS) data breach records. Noting that a large portion of these breaches involved lost or stolen laptops and mobile devices, the report concluded that data could have been protected and affected entities would have been insulated from reporting the breach if the information on these devices had been encrypted.

The report noted that past studies have estimated the cost of a data breach to an organization to average $204 per record. The loss or theft of a single laptop containing 200 records could total more than $40,000. In addition to these costs, the HITECH breach notification requirement also mandates that organizations notify HHS and the affected individuals, likely triggering an investigation and fines. If data is encrypted, however, healthcare providers are insulated from these costs and the reporting requirement.

Given the high potential cost of a laptop theft or loss and the low cost of data encryption software, the report recommended organizations encrypt their data. The researchers noted that, while there are a range of data compliance measures organizations can take, including physical and administrative controls, encryption is the only method that single-handedly meets the HIPAA Security Rule's standard of "reasonable and appropriate" protection.

"There is no single safeguard that can universally compensate for data encryption," the report stated. "In fact, encryption is such a good safeguard, that it may be hard to decide against encryption as the best safeguard in many scenarios. (The fact that encryption is identified as a safe harbor from the breach notification requirements of the HITECH Act makes it highly desirable for risk mitigation.)"

Lisa Gallagher, senior director of privacy and security for HIMSS, told InformationWeek that, despite the benefits of encryption and the requirements of the HIPAA Security Rule of 2003, many healthcare organizations have ignored the data security requirement.

"Anecdotally, it's the cost of encryption technology and also a lack of ability to implement it," she said. "Many smaller physician offices and community hospitals don't have anyone on staff who knows how to load the software and encrypt data on the network and on portable devices. And until recently, there was no push for it. It was easy to say, 'it's too expensive or too hard.'"

Given the availability of encryption solutions that are easily implemented and offer total data security compliance for files in storage inside and outside of the enterprise, many organizations may find the barriers to achieving reasonable and appropriate protection are lower than ever, even as the cost of not doing so becomes more apparent.