For good reason, many healthcare providers are increasingly concerned about protecting their patients' information. That is not surprising, considering the almost daily deluge of news about healthcare organizations being hacked or held hostage by the latest variants of ransomware, not to mention the recent launch of the next round of federal HIPAA audits.
While there is no silver bullet to protect your sensitive data, there are a few cost-effective steps every practice should take to reduce their security risks. One commonly discussed method is data encryption. Encryption is readily available and, in many cases, it is free. For example, BitLocker is a free encryption tool that Microsoft includes with many of its products.
To understand more about how encryption can protect you, let us consider two basic uses: encrypting data at rest and encrypting data in transit. Data at rest refers to stored data on your Electronic Medical Record (EMR) server (local or offsite), flash drives, Picture Archive and Communication System (PACS) systems, and other storage media. Conversely, data in transit refers to data being transmitted over an electronic medium. A few examples of encrypted data in transit include Secure Sockets Layer (websites using HTTPS), Virtual Private Network (VPN) tunnels, Secured File Transfer Protocol (FTPS) for file transfers, and Wi-Fi Protected Access 2 (WPA2) for wireless transmissions. For HIPAA compliance, your office should have a data transmission policy and those recipients should be included in your Risk Assessment.
Because data at rest is almost always going to be your responsibility to protect, there are a number of options to consider when implementing encryption. For example, encryption can be implemented on a hard drive, on a database, on a folder, or even on an individual file. Each option has different implications regarding overall security, performance degradation, and ease of access for authorized users. To make things even more complicated, it is also possible to implement combinations of the above. The best solution typically balances these considerations. If that is not confusing enough, consider the potential of getting locked out of your own data. Many encryption tools require you to safely store a printed copy of the decryption key (a.k.a. recovery key). If you lose this key, or fail to print it, you could be locked out of your data – forever. For this reason and others, we strongly recommend working with an experienced IT professional prior to implementing any level of encryption on your sensitive data.
If you do decide to implement encryption on your own, we strongly urge you to have a current and functional backup. To ensure things are functioning properly, restore a few files as a test to confirm that those files are accessible. Determine what you are going to encrypt, what technology you will use, what level of encryption you need, and who will have access to the data going forward. Document all of it.
Is encryption something you should implement? Generally speaking, the answer is "absolutely." Is encryption the Holy Grail of protection for your PHI? Actually, the answer is "no." At a recent healthcare information security conference in Washington, DC, Kevin Stine, manager of Security Outreach for the National Institute of Standards and Technology, was quoted as saying encryption is not a panacea for all cybersecurity ills. Outsiders who steal authorized users' access credentials will still have unfettered access to the encrypted data. Regardless of what cybersecurity measures you implement, the weakest links in your security chain are your authorized users. While implementing encryption should be taken by even the smallest of healthcare offices, failing to create a security-aware and cautious workforce is still your most likely point of failure.
Jeff Mongelli is CEO of Acentec, Inc., a nationwide provider of HIPAA compliance and medical IT management services.