Read to learn how to keep your patients’ protected health information (PHI) safe.
This post contains the text from the White Paper: Medical Data Encryption 101.
If an attacker is able to break into a work device, encryption renders files useless by masking them into an unusable string of indecipherable characters. From a security standpoint, encryption is essential to keep your patients’ protected health information (PHI) safe.
Unencrypted data has been the cause of fines from the HHS in the event of a breach. These breaches resulted in thousands of dollars in fines and the loss of patient trust.
With this danger in mind, HIPAA requires healthcare entities to “implement a method to encrypt and decrypt electronic protected health information” in requirement §164.312(a)(2)(iv). All electronic PHI that is created, stored or transmitted in systems and work devices must be encrypted (e.g., mobile phone, laptop, desktop, flash drive, hard drive, etc.).
ONLY 63% OF HEALTHCARE ORGANIZATIONS ENCRYPT PHI ON THEIR WORK DEVICES.
In order to properly encrypt PHI, you have to understand how medical data flows within your organization, especially where PHI is stored and transmitted. To make sure all necessary data is encrypted, begin with a diagram that documents how your PHI travels throughout your organization.
Identify everywhere PHI starts or enters your entity. By doing so, you know exactly where to start with your encryption practices.
Consider the following questions about where your electronic PHI enters your environment:
When PHI leaves your organization, it is your job to ensure it is transmitted or destroyed in the most secure way possible. Specifically, you and your business associate are responsible for how your business associate handles your PHI.
Here are some things to consider when PHI leaves your environment:
You need to know exactly what happens to PHI after it enters your environment. Is it automatically stored in your EHR/EMR system? Is it copied and transferred directly to a specific department (e.g., accounting, marketing)?
Additionally, you must record all hardware, software, devices, systems, and data storage locations that can access PHI. PHI is commonly stored in the following places:
After knowing these processes, you should find gaps in your security and environment, and then properly encrypt all PHI.
Even though HIPAA regulations indicate that encryption is an addressable item (§164.312(a)(2)(iv), §164.312(e)(1), §164.312(e)(2)(ii)), HHS has made it very clear that encryption is viewed as required.
Sometimes, processes you think are a valid method for encryption may be far from it. We have run into entities who produce a spreadsheet with PHI in it, then say, “See, I encrypt it when I make the cell smaller and the numbers change to ‘###’.” Just to be clear, this is not encryption. The data is still there and easy to access even if you can’t see it.
There are three common data handling processes that are often confused: masking, hashing, and encrypting. Let me break them down for you:
You should have encryption anywhere PHI is stored so the data requires a decryption key to view it. Most computer systems
–Trevor Hansen
Principal Security Analyst | CISSP | CISA | QSA
Most mobile encryption services are not as secure and reliable as other devices because most mobile devices themselves aren’t equipped with the most secure encryption.
Mobile technology is only as secure as a device’s passcode. For example, Apple’s Data Protection API only encrypts the built-in mail application on iPhones and iPads, and only after you enable a passcode. Encryption does not apply to calendars, contacts, texts, or anything synchronized with iCloud. Some third party applications that use Apple’s Data Protection API are also encrypted, but this is rare.
Although encryption on mobile devices would not be adequate enough to meet HIPAA best practice recommendations, there are still other options for further securing a mobile device. Security best practice is to develop and implement appropriate mobile security policies such as:
According to the HHS Breach Portal, over 100 organizations since 2009 have had PHI stolen because of inadequate email encryption. Healthcare organizations must “implement a mechanism to encrypt electronic protected health information whenever deemed appropriate” in requirement §164.312(e)(2)(ii), such as when sending unencrypted PHI in unprotected email services (e.g., Gmail, Outlook, AOL, etc.).
Organizations can send PHI via email, if it is secure and encrypted. According to the HHS, “the Security rule does not expressly prohibit the use of email for sending ePHI. However, the standards for access control, integrity and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to ePHI.”
Due to the nature of email and the struggles to properly secure it through encryption, consider avoiding the transmission of PHI via email whenever possible.
The use of patient portals is preferred for sending information to patients, and secure file transfer options are preferred for covered entity to covered entity or covered entity to business associate communications.
If you are determined to use an Internet-based email service (e.g., Gmail, Hotmail, AOL), ensure the service signs a Business Associate Agreement (BAA) with you. Understand that a BAA doesn’t reduce liability. The Omnibus Rule states the covered entity is still ultimately responsible for protecting that patient data and ensuring the business associate does their part.
Encryption is vital to protect your patient’s data. You need to make sure that you adequately map out where PHI enters your environment, what happens once PHI enters (and where it is stored), and exits your environment or organization. Although HIPAA regulations don’t specify the necessary encryption, industry best practice would be to use AES-128, AES-256, or better.
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.
.svg)
