As healthcare organizations continue to make the switch from physical to electronic records, implement EHRs, and connect to HIEs, healthcare data encryption options have also increased in popularity.
This is when covered entities or business associates make health data unreadable unless an individual has the necessary key or code to decrypt it. Organizations convert the original form of the information into encoded text, which can help entities ensure that unauthorized individuals are not able to “translate” the data for their own use.
HIPAA regulations do not require healthcare data encryption, but states that it is addressable. This means that healthcare organizations must determine which privacy and security measures will benefit their workflow.
“…it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity,” the Department of Health and Human Services (HHS) says on its website. “If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.”
Healthcare data encryption and data breach prevention
By making sensitive information unreadable, covered entities could make it more difficult for unauthorized parties to access that data. Even if a network was accessed, or if a mobile device was stolen, the translation card or key would also need to be taken.
As previously mentioned, organizations should consider data encryption if it is determined to be necessary to keep data secure through it normal operations. Entities should implement solutions that use existing system features, such as operating system features, according to the National Institutes for Standards and Technology (NIST).
Solutions that need extensive changes to the infrastructure and end user devices should generally be used only when other solutions are not enough, NIST explained in a storage encryption guide.
“Organizations should carefully consider how key management practices can support the recovery of encrypted data if a key is inadvertently destroyed or otherwise becomes unavailable,” NIST said. “Organizations planning on encrypting removable media also need to consider how changing keys will affect access to encrypted storage on removable media and develop feasible solutions, such as retaining the previous keys in case they are needed.”
It is also important to understand that there are two kinds of data that can be encrypted: data in motion and data at rest.
Data in motion is information that is being sent from one individual or device to another, either by secure direct message or email. A failure to encrypt data in motion could allow the information to be intercepted. Data at rest is when the information is being stored.
Organizations should carefully consider how key management practices can support the recovery of encrypted data if a key is inadvertently destroyed or otherwise becomes unavailable.
For example, the North Carolina Department of Health and Human Services (DHHS) experienced health data breaches because of an improperly encrypted email. In September 2015, the health data of 524 state Medicaid patients was potentially put at risk. The email was sent to the correct recipient, but there was a chance that the information was intercepted. Just one month prior, DHHS reported a similar incident.
DHHS said that it planned update its email software, which would overhaul the email encryption process. The software will block any email containing patient information from being sent until the information has been encrypted.
“We take very seriously our responsibility to secure the personal information entrusted to us,” DHHS Deputy Secretary in charge of Medicaid Dave Richard said at the time. “This technology adds a safety net and a layer of protection that goes beyond the human element. This is an important, necessary addition to our workflow.”
With data at rest, mobile devices often come into play. This can include cell phones, laptops, or even external storage devices.
“Organizations also need to consider the security of backups of stored information,” NIST cautions in its guide. “Some organizations permit users to back up their local files to a centralized system, while other organizations recommend that their users perform local backups (e.g., burning CDs, external USB storage media). In the latter case, organizations should ensure that the backups will be secured at least as well as the original source.”
Numerous healthcare data breaches have been reported due to lost or stolen unencrypted devices. Or if the device was encrypted, the passcode was stolen along with the device.
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to an OCR HIPAA settlement in June 2016, part of which stemmed from an employee’s stolen cell phone. The device was company issued, unencrypted, and not password protected.
CHCS must annually assess, update, and revise its security policies and procedures as necessary, according to its agreement. All CHCS workforce members need to be educated on any changes, and will receive new compliance certifications if needed.
“CHCS shall not involve any member of its workforce in the access of electronic protected health information (ePHI) if that workforce member has not signed or provided the written or electronic certification required…” the agreement reads.
- Staying HIPAA Compliant While Using Health Data Encryption
- Using Health Data Encryption for Breach Prevention
Are organizations utilizing data encryption?
With the healthcare industry averaging the highest cost per stolen record, data encryption could be a viable option to organizations looking to find applicable breach prevention measures.
The 2015 Global Encryption and Key Management Trends Study found that more industries were adopting data encryption measures, with healthcare being one of the leading sectors.
The report found that 64 percent of respondents said they utilized encryption because they needed to comply with external privacy or data security regulations and requirements, while 42 percent said they had to protect information against specific threats.
An organization cannot protect people’s privacy without being able to secure their data from unauthorized access.
The most common types of encryption technologies in terms of total usage rate for respondents in the US:
- Databases – 89 percent
- Internet communications – 89 percent
- Data center storage – 86 percent
- Business applications – 86 percent
- Backup and archives – 85 percent
- Email – 84 percent
- Internal networks – 83 percent
Healthcare data encryption was also described as a “particular imperative” for healthcare organizations, in the 2016 California Data Breach report. The California Attorney General added that it should also be considered for other organizations as they look to keep personal data stored on laptops, desktop computers, and mobile devices secure.
“Foundational to those privacy practices is information security: if companies collect consumers’ personal data, they have a duty to secure it,” said California Attorney General Kamala D. Harris. “An organization cannot protect people’s privacy without being able to secure their data from unauthorized access.”
- Healthcare Leads in Data Encryption Measures, Says Ponemon
- CA Data Breach Report: Healthcare Data Encryption Necessary