Insurers aren’t required to encrypt consumers’ data under a 1990s federal law that remains the foundation for health care privacy in the Internet age — an omission that seems striking in light of the major cyberattack against Anthem.
Encryption uses mathematical formulas to scramble data, converting sensitive details coveted by intruders into gibberish. Anthem, the second-largest U.S. health insurer, has said the data stolen from a company database that stored information on 80 million people was not encrypted.
The main federal health privacy law — the Health Insurance Portability and Accountability Act, or HIPAA — encourages encryption, but doesn’t require it.
The lack of a clear encryption standard undermines public confidence, some experts say, even as the government plows ahead to spread the use of computerized medical records and promote electronic information sharing among hospitals, doctors and insurers.
–
If the voluntary approach isn’t working, “HHS should amend the security rule to make encryption mandatory,” he said.
___
Associated Press writers Brandon Bailey, Ted Bridis and Tom Murphy contributed to this report.
