- Healthcare providers and other covered entities under HIPAA regulations may have a new resource on healthcare data encryption standards from the National Institute of Standards and Technology (NIST).
NIST released the final draft of “NIST Cryptographic Standards and Guidelines Develop Process” (NISTIR 7977), which describes the channels for establishing cryptographic standards and guidelines.
The document is integral to NIST’s goal of developing a standardized method for encrypting digitized information, including healthcare data encryption strategies. Through the final draft, NIST addresses the importance of encrypting sensitive data by transforming it into an incomprehensible format until a recipient with a key can unlock the information.
“Our goal is to develop strong and effective cryptographic standards and guidelines that are broadly accepted and trusted by our stakeholders,” NIST’s Chief Cybersecurity Advisor and Associate Director for the Information Technology Laboratory Donna Dodson said in a press release on NIST’s website. “While our primary stakeholder is the federal government, our work has global reach across the public and private sectors. We want a process that results in standards and guidelines that can be used to secure information systems worldwide.”
NIST produced a development process for cryptographic standards and guidelines based on nine principles, which are transparency, openness, balance, integrity, technical merit, global acceptability, usability, continuous improvement, and innovation and intellectual property.
Notably, NIST added the global acceptability principle to the final draft after public comments suggested that the organization address the global nature of the current economy and exchange of information.
The final document reiterates NIST’s intentions to fostering collaborations with all stakeholders, such as security professionals, researchers, standard developing organizations, and users, to establish strong encryption standards and processes. Stakeholders who contribute to the development process are also part of a variety of industries, including healthcare, academia, and government.
Development guidelines state that NIST will support cryptographic standards that are user-friendly while creating secure systems for customers. NIST also reported that it will continually update its encryption algorithms and guidelines to account for evolving data security threats, changing regulations, and novel technologies.
Healthcare providers may want to be aware of NIST standards, guidelines, and supportive documents to help their practices stay updated with the most current healthcare data encryption standards.
Under the HIPAA Privacy Rule’s guidelines, healthcare providers that utilize data encryption must encrypt ePHI using an algorithmic process to make health information unreadable and unusable to unauthorized users.
“Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ and such confidential process or key that might enable decryption has not been breached,” states the Department of Health and Human Services on its website.
While healthcare data encryption helps to protect ePHI, the HIPAA guidelines define it as an addressable protocol rather than a requirement. Healthcare providers are responsible for choosing the best method for implementing data encryption.
NIST intends to provide organizations with a flexible framework for developing industry-specific, comprehensive data security processes, including data encryption.
To further assist healthcare providers with selecting data security measures, the Office of Civil Rights published a crosswalk document that links the HIPAA Security Rules to NIST’s Cybersecurity Framework. The document helps healthcare organizations to understand how NIST standards can be applied to HIPAA-compliant entities.
Additionally, healthcare providers leave PHI and their organizations vulnerable to data security attacks without proper data encryption methods.
According to recent report from California’s attorney general, data encryption is imperative to protect personal information, especially as data breaches become more common. The report stated that about 18 million medical records in the state were involved in some type of healthcare data security incident from 2012 to 2015.
Researchers found that healthcare organizations are vulnerable to data breaches because more providers are using EHR systems, which are targeted by malware developers and hackers. More PHI is being transmitted and stored using EHRs, email, and other digital modes of communication and storage.
Healthcare providers are also susceptible to physical breaches, especially with the popularity of BYOD policies and mHealth technologies. Providers are able to use smartphones, tablets, and other mobile devices to store large volumes of PHI and take those devices outside of the healthcare facility.
The healthcare field, like most other industries, strives to incorporate the newest technologies into their organizations. However, healthcare providers have a unique responsibility of protecting PHI as health IT innovations are being implemented.
Security measures, such as healthcare data encryption, may help healthcare organizations to confidently use novel technologies while knowing that PHI is being secured.