- Data encryption options are quickly becoming a top security choice for healthcare organizations that are looking to remain innovative but still keep patient data out of the wrong hands. With a recent survey showing the quick growth of the global encryption software market, covered entities should ensure they understand how data encryption could be implemented at their organization.
By 2024, the global encryption software market is expected to reach $8.4 billion, according to Grand View Research, Inc. A combination of data loss and new governance and compliance regulations are expected to drive the need data encryption, the report found.
“Organizational best practices point towards data encryption as a key solution for data privacy,” read a press release discussing the findings. “However, the lack of budget is the key reason cited by organizations for being unable to make extensive investments in encryption solutions and this is presumed to challenge the industry demand.”
The study also found that last year, the on-premise deployment segment accounted for over 60 percent of the market share, and is only expected to continue to grow. This growth is fueled by the increasing need for organizations to minimize the scope of compliance audits along and also avoid public disclosures following data breaches.
Data encryption can be especially beneficial in the healthcare industry, as more organizations connect to HIEs, implement EHRs, and continue to the push toward nationwide interoperability. With healthcare data encryption, organizations make health data unreadable without the applicable key or code to decrypt it.
CEs and BAs can then convert the original form of the information into encoded text, helping entities ensure that unauthorized individuals are not able to “translate” the data for their own use.
While HIPAA rules state that encrypting health data is “addressable” rather than “required,” organizations should not ignore health data encryption or automatically assume that it does not apply to their operations.
The National Institute of Standards and Technology (NIST) also published guidance to help healthcare entities better understand this gray area in data protection. Titled, “An Introductory Resource Guide for Implementing the HIPAA Security Rule,” the guidance was meant to provide more depth and insight by mapping HIPAA security controls to a standard security controls framework.
Earlier this year, NIST also released the final draft describing the channels for establishing cryptographic standards and guidelines. NIST addressed the importance of encrypting sensitive data by transforming it into an incomprehensible format until a recipient with a key can unlock the information.
“While our primary stakeholder is the federal government, our work has global reach across the public and private sectors,” NIST’s Chief Cybersecurity Advisor and Associate Director for the Information Technology Laboratory Donna Dodson said in a statement. “We want a process that results in standards and guidelines that can be used to secure information systems worldwide.”
NIST also reiterated the need for collaborations between all stakeholders, such as security professionals, researchers, standard developing organizations, and users, to establish strong encryption standards and processes.
Data encryption in healthcare is no longer a topic that providers can ignore, especially as healthcare cybersecurity threats continue to evolve. For example, ransomware attacks can be devastating to a covered entity, as they could potentially disrupt patient care. However, if patient data is kept secure, it will be more difficult for unauthorized third parties to capture the information and attempt to sell it on black markets or the deep web.
By taking advantage of available tools and guidance, healthcare organizations can ensure they are taking necessary steps in data security. Whether that includes implementing a new encryption option, or another tool, covered entities should understand how multiple legislation and security frameworks apply.
The Office for Civil Rights (OCR) released a crosswalk in February 2016, explaining the “mappings” between the HIPAA Security Rule and NIST Cybersecurity Framework. While covered entities may have aligned their security program to one or both approaches, the crosswalk can help identify any potential gaps.
“Although the Security Rule does not require use of the NIST Cybersecurity Framework, and use of the Framework does not guarantee HIPAA compliance, the crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments,” the crosswalk explained.