- Many people may be surprised to learn that HIPAA laws do not require any specific type of health data encryption.
However, regulatory updates since the Security Rule’s enactment have shown how critical HHS thinks encryption is, and for good reason.
Concentra Health was fined $1,725,220 to settle HIPAA Privacy violations which occurred after an unencrypted laptop was stolen from one its offices. That’s just one example, but there are many more.
The fact is, the likelihood of your organization experiencing a breach is greatly reduced by the implementation of an effective encryption regimen. Being prepared will help eliminate the possibility that common occurrences, like stolen equipment, lead to embarrassing breaches that damage your business and reputation, as well as cost big money in potential fines.
Understanding health data encryption
Encryption is defined as an “addressable” requirement under HIPAA regulations. In layman’s terms, this means that the details of how an organization meets the specifications are the responsibility of the covered entity.
Under the HIPAA Security Rule, there are two implementation standards related to encryption:
- Encryption and Decryption - 164.312(a)(2)(iv): Implement a method to encrypt and decrypt electronic protected health information.
- Encryption - 164.312(e)(2)(ii): Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
The Security Rule also requires that encryption “must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of ePHI (electronic protected health information).”
If the entity decides that encryption is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate.
In nearly every circumstance, however, covered entities and their service providers should encrypt ePHI both at rest and in transit. They must also take care to utilize documented, carefully thought-out methods for ensuring that all ePHI is encrypted and that relevant software and decryption keys are stored in such a way that only authorized personnel can access the encrypted data.
There are numerous encryption systems available, but many are burdened by significant challenges like decreased performance, higher costs, and increased complexity. Choosing the appropriate encryption system for the unique needs of the healthcare provider, or capabilities of the service provider, is critical for keeping productivity as high as possible while enjoying the increase in protection and overall security assurance.
What to keep in mind with health data encryption
Even if a healthcare organization has an encryption system in place, there are still several process-related functions that must be handled properly. Here are a few recommendations that will help your organization handle encrypted data properly:
- Do not rely on VPNs (Virtual Private Networks) to support remote workers. Simply put, a VPN creates a temporary connection that only exists while you’re using it, and is not always encrypted. VPNs can also be quite cumbersome to use in practice. They are prone to operator error, which damages productivity for a practice, and they often require special software to be installed on the remote machine. When a system is hard to use, people look for ways around it, and VPNs are a perfect example of this. More concerning, is that a VPN solution does not log or control application and data access. ePHI can easily be moved from secure locations inside a network, to an unsecured network or system. It’s much better to provide remote workers with a simpler, cloud-based way to access their applications and data securely that controls and gates access to ePHI.
- Keep ePHI off of portable storage devices like USB flash drives. There are numerous examples of flash drives containing ePHI getting lost or stolen, resulting in sometimes quite serious data breaches. Instead, give your workers a simple way to share encrypted data.
- Keep ePHI off of laptops and tablets. It is possible to encrypt data stored on portable machines, but again, this increases complexity and cost, and still gives hackers an opportunity to try and bypass the encryption. It is much better to keep ePHI on a secure server within the organization’s control.
- Be wary of HIPAA compliance claims made by cloud storage services. There are no “HIPAA-certified” cloud storage providers since the Department of Health and Human Services (HHS), does not require or formally recognize any such certification programs. In addition, simply subscribing to a service that is billed as “HIPAA compliant” can create a dangerous false sense a security. A practice cannot outsource HIPAA compliance and is still responsible for the security of its ePHI.
The best encryption solution for healthcare providers will support:
- Secure remote access to encrypted data that does not require special software
- Ability to access encrypted files from any type of device, including tablets
- Ability to run on inexpensive, industry-standard hardware
- Ability to be backed up along with all other files and applications without decrypting the information
- Ability to prevent access to the encrypted data by unauthorized users
- Ability to log each time a user attempts to access the encrypted storage area (and the ability to retain those logs for as long as 28 years)
- Support for the strongest privacy protocols in the industry, including RSA-2048 SSL certificates and 256-bit encryption.
It can sound a bit daunting at first, but it really doesn’t have to be.
Regardless of what software solution you employ, don’t ignore the facts and keep your risk profile minimized.
Start by conducting an assessment of your current IT infrastructure and access points. Look at how well they handle desirable features like secure remote access as well as speed and ease of use. Do this in close cooperation with your Managed Service Provider since, as a Business Associate, they share responsibility for preventing unauthorized disclosures of ePHI.
There are numerous software-based systems that can make conducting your own assessment cost-effective and efficient, and many of these systems also provide support to help ensure on-going compliance.
Next, be sure that your MSP has access to the tools and technology you need to ensure compliance, including a solid approach to encryption. Then, work closely with your service provider to make sure you understand how your they are configuring and supporting your infrastructure to be certain they deliver all the functional capabilities you need to run your operation in a compliant manner.
As long as you don’t ignore the risks, you’ll be far better than operating as if there are none. Don’t be one of the 18,000 providers hit by HIPAA violations last year – take action today.
Jon Senger is the CTO at Vertiscale and serves as healthcare IT and security advisor to Managed Service Providers.