Healthcare Information Security

Cybersecurity News

Healthcare Data Encryption not ‘Required,’ but Very Necessary

While HIPAA regulations do not specifically require healthcare data encryption, it is an extremely necessary security measure that should be considered.

Healthcare data encryption should be a key aspect to organizations' data security measures.

Source: Thinkstock

By Elizabeth Snell

- Healthcare cybersecurity is essential for covered entities of all sizes, especially as ransomware attacks and other types of malware become more common. Healthcare data encryption is often discussed in these situations as well, with many in the industry underlining its importance.

HIPAA regulations do not specifically require data encryption, and instead qualify it as an “addressable” aspect. However, it is a very necessary piece to the larger data security puzzle.

In this primer, will review the basics of healthcare data encryption and explain why it is so critical in the current healthcare cybersecurity landscape.

What is healthcare data encryption?

Encrypting data means an organization converts the original form of the information into encoded text. Data is unreadable unless an individual has the necessary key or code to decrypt it.

With healthcare data, this involves securing ePHI and keeping it confidential so unauthorized individuals cannot access or use the information, even if they are able to find the information in a database or network.

READ MORE: Implementing HIPAA Technical Safeguards for Data Security

“The Security Rule defines ‘confidentiality’ to mean that e-PHI is not available or disclosed to unauthorized persons,” HHS states on its website. “The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI.” 

Furthermore, the Security Rule also emphasizes the importance of ePHI integrity and availability. Covered entities maintain integrity by ensuring ePHI is “not altered or destroyed in an unauthorized manner,” while availability relates to the data is only accessible and usable by authorized individuals.

There are also two kinds of two kinds of data that can be encrypted: data in motion and data at rest.

Data in motion is information that is being sent from one individual or device to another. For example, this can be done through secure direct message or email. Data at rest is when the information is being stored.

The difference between ‘addressable’ and ‘required’

Encryption and decryption fall under the Access Control aspect of HIPAA technical safeguards. The Security Rule does not require specific technical solutions, and instead maintains that there are many technical security tools, products, and solutions that a covered entity may select to maintain PHI security.

READ MORE: How Data Encryption Benefits Data Security

“Determining which security measure to implement is a decision that covered entities must make based on what is reasonable and appropriate for their specific organization, given their own unique characteristics, as specified in § 164.306(b) the Security Standards: General Rules, Flexibility of Approach,” states the HIPAA Security Series from HHS.

Access Control will give users the necessary rights or privileges to access certain areas containing information, including information systems, applications, programs, or files. These rights and/or privileges should be granted based on an individual’s necessary job function, and the “minimum necessary” must be followed.

Essentially, individuals should only be given the minimum necessary access to properly perform their job. This is especially critical when PHI access is taken into account.  

For encryption and decryption specifically, HHS explains that healthcare organizations must determine if this measure will be necessary and benefit workflow.

“…it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity,” HHS stated. “If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.”

READ MORE: HIPAA Data Breaches: What Covered Entities Must Know

HHS added that covered entities should consider which ePHI should be encrypted and decrypted to prevent unauthorized access by persons or software programs. Additionally, organizations can consider reasonable and appropriate mechanisms “to prevent access to ePHI by persons or software programs that have not been granted access rights.”

Healthcare organizations can use their risk analysis to better determine whether or not something is addressable or required. This is another key aspect of HIPAA regulations, and all entities should be performing regular risk analyses.

Davis, Wright, Tremaine LLP associate Anna Watterson explained in a previous interview with that the risk analysis is the foundation of the security role for an organization.

“The addressable ones need to be implemented if reasonable and appropriate,” Watterson said. “So the risk analysis can be the basis for determining whether a particular addressable implementation specification is reasonable and appropriate to implement in a particular circumstance.”

Understanding the data encryption options

The National Institutes for Standards and Technology (NIST) explained in a storage encryption guide that organizations should implement encryption solutions that use existing system features, such as operating system features.

It can be more difficult when solutions require extensive changes to the infrastructure. Furthermore, end user devices should generally be used only when other solutions are not sufficient.

“Organizations should carefully consider how key management practices can support the recovery of encrypted data if a key is inadvertently destroyed or otherwise becomes unavailable,” NIST wrote. “Organizations planning on encrypting removable media also need to consider how changing keys will affect access to encrypted storage on removable media and develop feasible solutions, such as retaining the previous keys in case they are needed.” 

NIST also established the Cryptographic Module Validation Program (CMVP) to analyze, test, and validate that crypto modules are functioning properly and deploying approved algorithms. All algorithms and modules are tested for conformance with the Federal Information Processing Standard (FIPS) 140-2. 

Many federal agencies require FIPS 140-2 validation, noted contributor Ray Potter.

“Essentially this means that crypto is useless until proven otherwise, a blunt but accurate sentiment,” Potter wrote. “Other sectors have adopted the standard as their own, as well, with increasingly strict adherence in state and local government, finance, and utilities. Either encryption is validated or it is not. It’s very black-and-white.”

With healthcare data encryption, NIST also released NIST SP 800-66: An Introductory Resource Guide for Implementing the HIPAA Security Rule.

“NIST security standards and guidelines (Federal Information Processing Standards [FIPS], Special Publications in the 800 series), which can be used to support the requirements of both HIPAA and FISMA, may be used by organizations to help provide a structured, yet flexible framework for selecting, specifying, employing, and evaluating the security controls in information systems,” the guide’s executive summary explained.  

Overall, healthcare organizations need to take the time to understand all available options to properly maintain ePHI security. Technology will only continue to evolve, and covered entities and their business associates are becoming more digital and connected – both to other organizations and in utilizing internet connected devices.

A ransomware attack could lead to data becoming compromised, but what if it was already encrypted in the first place and was inaccessible? A laptop containing ePHI might be stolen, but what if that data is unreadable without an access key?

HHS even notes in its ransomware guidance that if the ePHI was properly encrypted before an incident occurs, then it is not considered “unsecured PHI” and “the entity is not required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification is not required.”

Healthcare organizations should conduct thorough and regular risk analyses to properly determine how and where data encryption would be beneficial. Staying educated on all available options and any federal or state requirements will also help entities ensure ePHI security. While not technically required, data encryption is quickly evolving into a very necessary part of data security. 


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...