Encryption News

Encryption is the Digital PPE the Healthcare Industry Needs Now

The most effective way to ensure the security of our health information is to adopt and preserve uncompromised, end-to-end encryption practices, as well as the policies that support them.

By: Kenneth Olmstead, Internet Society; Greg Nojeim, Center for Democracy & Technology; Charles Bradley, Global Partners Digital

A lack of personal protective equipment and ventilators are top of mind for doctors, nurses and hospital administrators on the front lines of the COVID-19 pandemic, and for good reason – lives hang in the balance each minute of each day. But that’s not the only challenge straining healthcare providers still grappling with the outbreak of COVID-19 across the country.

Cyber-criminals have found a new goldmine in the increasing amounts of health data online, and the recent surge in attacks points to massive security gaps with both providers and patients.

However, the rise in criminal activity is not entirely surprising consider the vast amount of health data online. Telemedicine is also increasingly supplementing a traditional visit to the doctor’s office. Many U.S. hospitals now rely on digital records. And with companies racing to develop contact tracing and other health tracking apps, the sheer volume of data being generated is hard to grasp.

The threat is so dire that in a rare announcement last month, cybersecurity officials in both the U.S. and UK warned that national and international healthcare organizations should brace for cyberattacks during the COVID-19 pandemic. In addition, the CyberPeace Institute has put out a call for governments to work together to address cyber attacks on healthcare, which is rapidly becoming the number one target for cybercrime.

The good news is digital protective equipment for our healthcare system already exists, and it can be used by anyone–encryption.

Encryption is an important technology that helps Internet users keep their information and communications confidential and secure, and serves a crucial role in reinforcing the personal security of billions of people every day.

Encryption can help the healthcare industry boost its digital security practices in two ways. The first is protecting “data at rest” (e.g. data stored on hospital servers) by encrypting stored data so that even if it’s breached it will be useless to the attacker. Encryption can also protect “data in motion,” which is crucial to keeping telemedicine communications between doctors and patients confidential. Strong encryption is vital to protecting the data and records from bad actors.

End-to-end encryption provides the highest level of security. It not only protects the communication from interception by bad actors, but also prevents the company providing the video conferencing service from accessing that communication. The only two parties that should have access to a telemedicine treatment session are the doctor and the patient.

But while encryption is vital to the integrity of the healthcare industry, some governments are trying to undermine it.

This is why we have joined forces with other forward leaning organizations to form the Global Encryption Coalition, to advocate strongly against government attempts to weaken encryption . We also call on governments to promote digital security by proactively deploying strong encryption and employing privacy-by-design principles in the design and implementation of digital technology solutions for health and telemedicine.

Weakening encryption would open Pandora’s box for potential criminal activity and could have devastating consequences for the personal security of billions of people and for industries trying to navigate a global health crisis. Breaking encryption, even with the best of intentions, puts all digital infrastructure at risk.

Both the Executive Order on Section 230 that President Trump signed last week and the EARN IT Act – legislation before the U.S. Congress that some critics have dubbed the “anti-encryption bill” – contain dangerous flaws and attempts to undermine encryption. However, the Invest In Child Safety Act aims to solve the same problem as the EARN IT Act, combatting online child exploitation, but without threatening encryption.

The most effective way to ensure the security of our health information is to adopt and preserve uncompromised, end-to-end encryption practices, as well as the policies that support them. We look forward to working alongside leaders in the Global Encryption Coalition to ensure strong encryption for people and industries, alike.

Kenneth Olmstead is a Senior Advisor on Internet Security & Privacy at the Internet Society. Greg Nojeim is the Director of the Freedom, Security & Technology Project at the Center for Democracy & Technology. Charles Bradley is the Executive Director of Global Partners Digital.