08-20-13 | Blog Post
Earlier this year, OCR (Office for Civil Rights) Director Leon Rodriguez was quoted on the topic of HIPAA encryption: “…regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information. Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
This was in response to the first HIPAA breach settlement involving a case affecting less than 500 patients in which an unencrypted laptop was stolen. The hospice company never conducted a HIPAA risk analysis and didn’t have mobile device security policies or procedures in place. As the first step toward implementing HIPAA safeguards, all healthcare organizations should conduct a risk analysis with these nine components:
This list entails a high-level overview of the necessary components, but for complete details read our guide What’s in a HIPAA Risk Analysis? To find out what type of mobile device security policies and procedures to enforce in your workplace, read our Mobile Security White Paper.
HIPAA Encryption of Data at Rest and In Transit
While encrypting devices can prevent unauthorized access to electronic protected health data (ePHI), encrypting data at rest and in transit at the disk level can also prevent a data breach by keeping data in secure, HIPAA compliant data centers and restricting access to a limited number of people. A data center operator can test their facilities and server hosting services by contracting with an independent third-party auditor that uses the OCR HIPAA Audit Protocol to test their security practices against.
Particularly in the cloud, encryption is an important aspect of keeping data safe and in compliance with the HIPAA Security Rule. A HIPAA compliant cloud should provide encryption of data at rest, including data that is stored as backups and archived as part of an IT disaster recovery plan. The cloud should also provide encryption of data in transit for complete security.
Ensuring Performance and Security with HIPAA Encryption in the Cloud
However, the tradeoff with encryption in the HIPAA cloud is often at the expense of computing performance, as it takes significant processing power, according to SearchCompliance.TechTarget.com. Partnering with a cloud service provider that can provide enterprise-class infrastructure and the ability to encrypt without affecting performance is key for supporting health IT.
Not all clouds are built the same. One example of cloud enterprise-class infrastructure is the EMC VMAX 10K SAN (storage area network) that supports data at rest encryption implemented within their platform. With an encrypted storage platform, data is encrypted when written to drives and decrypted when read from drives with no impact on performance, or local or remote replication, according to EMC.com. A SAN is a high-speed network that is part of a system’s overall computing resource network; it connects storage devices (such as disks) to servers to facilitate data transfer.
HIPAA Encryption Standards
The type of encryption used by EMC VMAX is AES-256-bit (Advanced Encryption Standard). The National Institute of Standards and Technology (NIST) approves the AES algorithm used to protect electronic data to the level of the Federal Information Processing Standards Publications (FIPS PUBS). Within the HIPAA Breach Notification Rule, the Dept. of Health and Human Services recommends adherence to the NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices (PDF). And within that document, NIST recommends using the AES algorithm due to its strength and speed.
Securing data on enterprise storage with encryption reduces the chances of potential exposure of sensitive data on stolen media (including portable devices such as laptops). In the case of the hospice’s stolen unencrypted laptop, the use of an encrypted HIPAA cloud infrastructure may have prevented the data breach and settlements as a result.
Upcoming HIPAA Encryption Webinar
Want to learn more the HHS’s encryption standards for securing PHI? Join our upcoming webinar, Removing the ‘Cryptic’ from ‘Encryption’ – HIPAA and the Meaning of Secure PHI, hosted by Online Tech’s April Sage and Brian Balow of Dickinson Wright, an attorney focused on IT, healthcare law and intellectual property. Held Tuesday, September 17 @2PM ET, it’s free to join and we encourage submitting your questions about HIPAA encryption in advance. Sign up online here.
Related Articles:
High-Capacity, Encrypted HIPAA Clouds for Medical Imaging Data Security
A recent healthcare data breach was reported by HealthDataManagement.com as a result of a stolen unencrypted laptop, a component of a diagnostic imaging machine. Retinal Consultant Medical Group notified patients that their names, DOBs, gender, race and optical coherence tomography … Continue reading →
HIPAA Encryption: First Steps to Identifying and Securing Health Data
According to DetroitNews.com, personal information of 49,000 individuals – including that of names, SSNs, DOB, cancer screening test results and dates of completion – were accessed by hackers recently. The data resided in a password-protected area of the Michigan Cancer … Continue reading →
Encrypting Backup Data for HIPAA and PCI Compliance
Stored data is a top target by hackers, especially the type of data that can be used for fraud and medical identity theft – within the healthcare industry in particular, encrypting stored data to meet HIPAA compliance is one way … Continue reading →
References:
HHS Announces First HIPAA Breach Settlement Involving Less Than 500 Patients
EMC Symmetrix Data at Rest Encryption (PDF)
EMC Symmetrix VMAX 10K (PDF)
Federal Information Processing Standards Publication 197: AES (PDF)
Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals