You should start by differentiating between data at rest and data in motion.
Encryption has been, and will continue to be, a key focus area for healthcare data security. While still unpopular with many organizations, the feds at least have determined it to be the only failsafe mechanism available to protect patient information. As a result, we have encryption requirements in just about every piece of regulation that deals with the protection around electronic protected health information (ePHI). That includes HIPAA, HITECH, meaningful use and breach notification. It’s also a required feature in certified electronic health records (EHRs) and electronic medical records (EMRs).
One very important aspect that hasn't changed, though, is that despite how often it is referenced in regulations and standards, encryption is still an addressable standard, meaning we still have flexibility in its use. That flexibility is not only appropriate, but very important. When people advocate “encrypt, encrypt, encrypt,” it demonstrates a lack of understanding of the implications and many different applications of encryption.
When considering encryption, we need to differentiate between data at rest and data in motion. (Note: Data on a laptop or thumb drive is not data in motion). Data at rest is information stored on either a device or some form of media. It is not physically moving. That device could be a server in a data center, a mobile device of infinite variety, a storage disk or a tape backup, to name a few formats. Servers in a data center may or may not require encryption of the data due to the overall strength of all other controls. Encrypting data at rest can sometimes have the unintended consequence of impacting performance of applications, particularly as it relates to response time – something that users tend to frown on. Therefore, organizations may choose not to encrypt data in the data center, identifying other controls as reasonable alternatives for that data’s protection. That does not extend to media, particularly media that moves in and out of the data center or is stored off site, either permanently or temporarily. However, here again alternative measures may be used, such as replacing tapes with a disk-to-disk backup of data to a different site.
One exception to this is data stored by a third party, such as a cloud provider or hosting site. While they may have adequate security as well on their data center, organizations should consider encrypting protected health information that is within their control because cloud providers typically do not have a need to know what the data is to perform their function.
Sensitive data at rest on mobile devices or removable media absolutely needs to be encrypted. This is one area where the standard is still addressable, but the requirement is really not. What I mean is the standard of care for sensitive information stored on removable media or mobile devices is that it should be encrypted. You only have to take a second and look at the Office For Civil Rights reporting of incidents and breaches to understand the impact of lost or stolen devices.
So if it is a laptop, a tablet, a phone, a disk, a CD, a thumb drive, etc. and it has PHI on it, make sure it’s encrypted. One caveat to this is when providing medical information to a patient who has requested it. In this case, you may provide that information via disk, thumb drive or CD in an unencrypted form. It is important that the patient is alerted of the risks of doing so, and that his or her request is documented. This was updated in the Omnibus Rule.
Data in motion also needs to be encrypted for personal communications such as email and texting, as well as organizational or batch communications such as facsimile, FTP, etc. Texting is the newest challenge we have in healthcare with respect to secure data transfer. The capabilities of today’s smartphones have made them powerful tools for communication and have already become an integral part of the workflow of healthcare professionals. These devices can be and are used to transmit information, data files, images, etc., and much of this information is protected health information. There are secure texting applications available now that protect these communications by encrypting them appropriately.
Last, but not least, we need to address the level of encryption used in applications and products that are acquired and used by service providers. Meaning, if we want to take advantage of safe harbor and avoid notifications, we need to ensure that the encryption used meets the appropriate NIST guidance and the FIPS 140-2 requirement. For third-party vendors, particularly those that host systems or data, written assertion that they are employing encryption solutions that meet the standard should be mandatory for contract award/continuation.
Developing an appropriate encryption strategy is no trivial process in today’s complex healthcare information technology environment. This is becoming even more challenging with the advent of bring your own device (BYOD), Web applications, mobile applications portal interfaces, etc. The right strategy today is a combination of multiple technologies and controls in an integrated approach. Encryption is an important component of our data protection approach, but not the only tool in our toolbox.
About the author
Mac McMillan is chairman, CEO and co-founder of CynergisTek and current chair of the HIMSS Privacy & Security Policy Task Force. To learn more about CynergisTek, go to www.cynergistek.com.