Decisions on encryption for healthcare organizations are growing increasingly more important as HIPAA penalties become stiffer and some organizations have outdated, preconceived notions of the technology options. Wired recently came out with a piece called “9 Biggest Data Encryption Myths Busted” that’s geared toward a general enterprise IT audience, but there are a few sound arguments from a healthcare perspective as well:
Encrypt regardless of compliance reasons – As the Office for Civil Rights (OCR) has said, healthcare organizations should encrypt all of their data because it’s good practice and is among the ways to keep data safe (though no solution is ever 100 percent secure).
Pair inexpensive encryption tools with knowledge of your organization – Organizational size shouldn’t be a deterrent toward encryption. Even if it’s a small clinic, an IT director who knows the organization well and has researched lightweight encryption tools shouldn’t have to worry about budget when making IT decisions.
Cloud encryption key management has come a long way – Regardless of which cloud hosting vendor an organization chooses, key management shouldn’t be a big deal. If there’s a business associate agreement (BAA) in place, there should be no issue with the vendor managing the key. And software-based solutions make it easy for an organization manages the key itself.
Encryption can be a big part of healthcare big data security – Data encryption will be critical for large data sets as well as the smaller ones. As Wired points out, NoSQL environments and big quantities of protected health information (PHI) are good fits for encryption.
John Christly (CISO of Nova Southeastern University) echoed some of these points recently during the iHT2 Security, Privacy, and other Compliance Risks in a Post-Reform Era webinar. However, Christly also explained why some healthcare organizations still believe some of these myths and encryption can be a tough proposition in some instances.
Part of the problem, according to Christly, is that HIPAA defines it as an addressable standard at the moment, not required as some other elements are. Many organizations aren’t doing it until it’s too late because they don’t believe they have to do it. Another factor here is if you don’t have a really good handle on where your data is and what devices you’re using within your facility, you don’t know what to encrypt and where to start.
Typical shops have myriad devices being used, not just PCs and laptops but Macs, iPads, Windows-based tablets and external hard drives and thumb drives. Tack onto that tracking down where data moves, such as FTP servers transferring data in and out of an organization, email, interfaces with other programs and the cloud. And there’s also the transfer of data to other external business partners as part of interfacing healthcare information exchanges (HIEs).
Adding encryption technology expenses onto the cost of either training your current staff or hiring a vendor to come in and do this for you can be astronomical, but this process can also be very dangerous if not done right and thought out properly. “If you lose the key to that encrypted device, you’ve lost the data that’s on it. So users can be weary of IT shops trying to encrypt their devices,” Christly said.