New Encryption Requirements For New Jersey Health Insurers May Catch On In Connecticut, But Probably Would Not Have Protected Anthem Subscribers

by Leonardo M. Tamburello

New Jersey has enacted and Connecticut is considering a bill that would require health insurance companies to encrypt electronic information in their possession. These developments come as the massive breach of personal protected health information at Anthem Health continues to reverberate throughout the healthcare industry.

While the New Jersey law and Connecticut proposal requiring encryption are important steps that will protect individuals in cases where a laptop or flash drive is lost or stolen, they are unlikely to provide any serious defense to a determined attack such as that involving Anthem Health, which involves the compromise of administrator-level credentials.

The New Jersey law, which goes into effect on August 1, 2015, requires all health insurance carriers issuing benefits in the state to encrypt or otherwise render unreadable any “personal information” which they compile or maintain.  This “personal information” includes a first name or initial and last name linked with their Social Security Number, driver’s license or State ID number, address, or any other form of individually identifiable health information such as medical or billing records, medical record numbers, or a variety of other identifiers.

The Connecticut proposal, much like New Jersey’s law, would require insurance companies operating in Connecticut to encrypt all personal information records stored and transmitted by them.  Connecticut would also go further by requiring that any health insurance company who holds, uses or transmits personal information adopt secure user authentication protocols (such as mandatory user IDs, unique passwords, and other measures) and upgrade information safeguards to limit future risks.

While encryption of protected health information is strongly encouraged by changes to HIPAA made by the HITECH Act and subsequent regulations, it is not currently required by federal law.  However, as targeted attacks on health care data become more sophisticated and commonplace, encryption and other security measures are quickly becoming the industry standard.

It is unlikely that either New Jersey law or Connecticut proposal requiring encryption would have protected Anthem subscribers who have been affected by the most recent breach which was discovered by a system administrator who noticed that their own credentials were being used to log into the system and submit queries.  Unauthorized individuals, who gain access to an administrator account, can end-run around most, if not all, technical defenses.  No amount of encryption will protect against thieves who use phishing, social engineering or other means to steal the keys to the virtual kingdom.