As healthcare organizations invest in the latest technological advances for cost savings and better patient care, cybersecurity measures must also be considered. Healthcare data encryption and the de-identification of data are two essential methods for maintaining ePHI security.
The terms might seem similar, and they both involve changing the readability of data or how the data can be traced back to an individual or a certain source, but they are two very different – and important – methods for healthcare.
Unencrypted data is a major vulnerability when it comes to healthcare data breaches and could also result in greater fines for healthcare organizations following an OCR investigation.
In one recent example, Fresenius Medical Care North America (FMCNA) agreed to a $3.5 million OCR settlement in February 2018 after a reported five HIPAA data breaches. Incidents occurred at various FMCNA-affiliated covered entities, with unencrypted devices noted in multiple OCR investigations.
An unencrypted USB drive and an unencrypted laptop were stolen in two separate cases.
One of FMCNA’s covered entities, FVC Augusta, “failed to implement a mechanism to encrypt and decrypt ePHI,” OCR explained. The organization also did not have necessary policies and procedures in place to explain how certain functions must be performed.
And as healthcare moves more towards interoperability and an increased focus on value-based care, patient data privacy has to be protected through the de-identification of key identifiers.
There is also a push for interoperability and an increased focus on value-based care, which has led more organizations to consider secure health data sharing. Patient data privacy cannot be forgotten in that process, which is where the de-identification of health data can be utilized.
De-identified data does not include the complete information of an individual. But organizations can still potentially commit a data breach if that information is found in addition to the complete data.
Arkansas-based Arkana Laboratories, formerly Nephropathology Associates, PLC, reported in 2015 that one of its employees sent an unsecured email to a vendor that included PHI and de-identified information.
“The vendor was the intended recipient of the e-mail, however, they did not require PHI to perform their services and only the de-identified component of the information should have been transmitted,” the statement explained, which was signed by Practice Coordinator and Compliance Officer C. Aaron Nichols, MHSA, CMPE.
“As a result of this incident Nephropath is reviewing its policies and procedures to protect against future incidents of this nature,” Nichols continued. “As part of this process we will be providing additional training to our workforce and the responsible employee.”
But what exactly is the difference between encrypting data and de-identifying it? Can healthcare organizations use one and not the other?
Understanding the differences between health data encryption and the de-identification of health data, and how each method can be appropriately utilized, will help covered entities create a comprehensive approach to healthcare data security.
What is health data encryption?
Data encryption is when an organization uses “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key,” according to HHS.
Covered entities can lower the risk of data access by an unauthorized party by making it more difficult for that information to be read. For example, a hospital could ensure that all laptop computers and external hard drives are encrypted. If one of those devices is stolen, the thief would also need access to the encryption key to read sensitive data stored on the devices.
There are two kinds of data that can be encrypted: data in motion and data at rest.
Data in motion is when information is being sent from one individual or device to another through secure direct message, email, or other means of data exchange. Unencrypted data could be intercepted as it is traveling from one location to the next.
Data at rest is information being stored and is not being transported. Data at rest could be in a server or even in mobile devices, such as laptops or smartphones.
Healthcare organizations should consider data encryption options as they continue to implement new devices and as they opt for new ways to store data, including in the cloud.
Vice President of Commercial Operations & Chief Security Officer for IBM Watson Health Carl Kraenzel previously told HealthITSecurity.com that data encryption is critical as organizations turn toward cloud computing.
Cognitive intelligence can help protect an organization’s data, which will benefit entities using the cloud, he said.
“[An important] piece of protecting [your data] is to deploy a combo of encryption key management that is tied with a blast radius analysis,” Kraenzel stated. “By that I mean, you don’t put all of your data underneath one encryption key.”
Encrypting data should be a baseline measure. Multiple encryption keys will help organizations keep their data more secure. Multiple encryption keys can help ensure that if one key is compromised, not all of the data is compromised.
“You have to have sophisticated, well-oiled key management linked to how your cloud is operated,” Kraenzel said.
Healthcare organizations can also utilize encryption with payment card processing, an area that increased in importance with the 2016 Banner Health cybersecurity attack. In that case, the organization’s POS system in the cafeteria was infiltrated.
Providence Health & Services Senior Security Consultant Tony Hansen previously explained to HealthITSecurity.com why Providence Health and Services opted to implement a Point-to-Point Encryption (P2PE) solution.
The solution utilizes Epic and encrypts the data with its own encryption keys. The encryption occurs when data is keyed or swiped at the Providence clinics, Hansen said. Patient credit card data is then encrypted at the point of swipe and it remains that way until it goes to the payment solution provider.
“Traditionally, healthcare has a very flat network,” Hansen said. “[The attackers] were able to walk the network [at Banner] until they got to patient data. If you don’t have those enticing ways in, because you have point-to-point encrypted solutions, then you don’t offer them an ‘easy pickings’ to get in.”
Providence Health does not actually have access to the data, Hansen added. If there is a security incident involving the machines, the card data is never exposed to the organization itself.
“This is a situation where we don’t need access to the data and we don’t have it,” he explained. “They can’t reach what you don’t have.”
What is de-identification of data?
The de-identification of data in healthcare happens when identifiers are removed from protected health information (PHI).
There are 18 different types of identifiers, according to HHS. These include, but are not limited to, names, telephone numbers, email addresses, Social Security numbers, and medical record numbers.
Once these elements are masked or removed, medical information can then be used in research, policy assessment, or comparative effectiveness studies without raising privacy concerns.
The HIPAA Privacy Rule has two de-identification methods. The first is a formal determination by a qualified expert. An individual “with appropriate knowledge of and experience” in rendering data unidentifiable will apply the necessary methods to determine that the risk to the data is small, according to HHS. The methods and results must also be properly documented.
The second method, called “Safe Harbor,” is when specified individual identifiers are removed. There must also be “absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual.”
For Safe Harbor, HHS also requires that “the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.”
“De-identified health information created following these methods is no longer protected by the Privacy Rule because it does not fall within the definition of PHI,” HHS explains. “Of course, de-identification leads to information loss which may limit the usefulness of the resulting health information in certain circumstances.”
Research is one of the more common reasons why healthcare organizations would need to de-identify data sets.
For example, a healthcare organization may opt for a qualified expert to determine the risk of identification. There are several ways for the expert to approach this process, according to HHS, some of which are outlined below.
The first table shows PHI that may be used in a study.
One type of identification risk mitigation is called suppression, where certain pieces of data are eliminated.
Another method for de-identifying data is by using generalized patient values. Instead of specifically stating that a male patient was 18 years old, the table would list the patient as being “under 21.” Zip codes could also be generalized to only showing three or four digits.
There is also perturbation, where “specific values are replaced with equally specific, but different, values.” Patient age could be shown within a three-year window, or zip codes could be within three digits of the original zip code, HHS explains.
Data encryption and the HIPAA Security Rule
A key difference between data encryption and the de-identification of data is how HIPAA regulations apply to each.
Data encryption is considered “addressable” instead of “required,” under HIPAA. An addressable measure is where organizations must determine if the implementation specification is “reasonable and appropriate.” If it is not, the covered entity must adopt an alternative that is reasonable and appropriate.
The HIPAA Security Rule states that there are many technical security tools, products, and solutions available to help covered entities maintain PHI security.
“Determining which security measure to implement is a decision that covered entities must make based on what is reasonable and appropriate for their specific organization, given their own unique characteristics,” states the HIPAA Security Series from HHS.
Covered entities must determine if data encryption will be necessary and if it will benefit their workflow. The Rule “permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity.”
Organizations should consider how it transmits ePHI, how often it transmits ePHI, and use a risk analysis to determine if encryption is needed for ePHI security during transmission. From there, entities must also consider the different types of encryption that could be used to protect ePHI.
For example, a large hospital system may allow physicians to utilize BYOD. The risk analysis will likely show that data encryption on all devices will be necessary to ensure ePHI security as the devices are consistently being moved from one location to another.
Where risk analysis shows such risk to be significant, a covered entity must encrypt those transmissions under the addressable implementation specification for encryption.
However, a single physician operating her own practice may not utilize the same mobile policy. Requiring data encryption on her personal smartphone that is not used for ePHI or work purposes may not be deemed necessary.
“As business practices and technology change, situations may arise where EPHI being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities,” the HIPAA Security Series reads.
“Where risk analysis shows such risk to be significant, a covered entity must encrypt those transmissions under the addressable implementation specification for encryption.”
HHS also maintains that valid encryption processes for data at rest and data in motion are consistent with NIST standards.
“Encryption can be applied granularly, such as to an individual file containing sensitive information, or broadly, such as encrypting all stored data,” NIST explains in its Guide to Storage Encryption Technologies for End User Devices.
“The appropriate encryption solution for a particular situation depends primarily upon the type of storage, the amount of information that needs to be protected, the environments where the storage will be located, and the threats that need to be mitigated.”
Implementing data encryption, de-identification of data methods
Both data encryption and de-identifying data mitigate privacy and security risks. These two methods can also help healthcare organizations prevent data breaches.
Entities can utilize different resources to help determine if data encryption is applicable and how best to go about data de-identification. Researching NIST data encryption methods can be beneficial, whether an organization is looking to use encryption for data at rest or data in motion.
HHS also has guidance on its website for performing a proper risk analysis and how to implement a risk management program. Entities should use their risk analysis to determine if data encryption is necessary. If not, organizations must provide documentation as to why and then discuss what measures will be implemented instead.
OCR has its own resources as well, including its guidance on de-identification of data. The guidance was developed using input from stakeholders who gathered at a workshop in 2010. Workshop panels addressed topic related to the HIPAA Privacy Rule’s de-identification methodologies and policies.
Health data encryption and de-identification will benefit covered entities as they work to improve their cybersecurity measures. After conducting research, risk analyses, and potentially getting third-party assistance for implementation, organizations can make great strides in strengthening ePHI security.