09-03-13 | Blog Post
Advocate Health Care marks the second largest HIPAA data breach since the breach notification rule was implemented in 2009, losing more than 4 million patient records in a theft of four unencrypted computers. The data included personally identifiable patient information as well as clinical data, including diagnoses and health insurance information.
A senior vice president from Advocate acknowledged that the sensitive data shouldn’t have been stored on the computers’ hard drives, but instead maintained on their secure network. One of the steps they’re taking toward remediation includes mapping its computer and software systems in order to identify where patient data is stored, and how to secure it. This is also one of the first steps that should be taken toward data encryption – classifying sensitive data and then selecting a proper encryption method is next.
One way to keep data protected on secure networks is by using SAN (storage area network) disk-level encryption that encrypts the data as it’s written to disk. With an enterprise-class private cloud, your compute, memory and disk performance is completely dedicated to your organization – no sharing of resources.
Encryption of data at rest and in transit is highly recommended to meet HIPAA standards §164.312(a)(2)(iv) and §164.306(e)(2)(ii) for encryption of electronic protected health information (ePHI) anywhere data is also stored or archived as backups.
If you’re a healthcare organization seeking an encrypted data and application hosting solution, ask your HIPAA cloud hosting provider if they are able to provide encryption, and if they provide encrypted offsite backup. Without encryption, your data may be at risk if accessed by unauthorized users, and you are subject to the HIPAA Breach Notification Rule that requires public notification for data breach affecting over 500 individuals.
However, encryption can’t do it all – for a layered security approach, consider enlisting other data security tools such as File Integrity Monitoring (FIM), a Web Application Firewall (WAF), Daily Log Review and other technical security services.
Upcoming HIPAA Encryption Webinar
Want to learn more the HHS’s encryption standards for securing PHI? Join our upcoming webinar, Removing the ‘Cryptic’ from ‘Encryption’ – HIPAA and the Meaning of Secure PHI, hosted by Online Tech’s April Sage and Brian Balow of Dickinson Wright, an attorney focused on IT, healthcare law and intellectual property. Held Tuesday, September 17 @2PM ET, it’s free to join and we encourage submitting your questions about HIPAA encryption in advance. Sign up online here.