If you are involved in data security for healthcare organizations, you may wonder why regulations and legal liability play such an important role for your organization when choosing its data transfer technologies.
One of the biggest stressors for healthcare IT departments is the importance of compliance with data security regulations such as the Healthcare Insurance Portability and Accountability Act. Act”, HIPAA).
Even potential HIPAA violations are punished, as the regulations are so strict. In 2019, a laptop and an unencrypted USB drive were stolen from the University of Rochester Medical Center (URMC).
This event, and URMC’s handling of it, resulted in $3 million being paid to the Office for Civil Rights as part of a settlement for potential HIPAA violations.
HIPAA Rules and Security Requirements
HIPAA has three fundamental rules to protect patients and their information:
- Confidentiality rule: protected health information and documents
- Breach Reporting Rule: How organizations should report security violations to authorities and patients
- Security Rule: Establishes security standards for the storage and transmission of Protected Health Information (“PHI”)
These rules ensure that organizations take responsibility for the privacy and security of ePHI (electronic PHI), as well as anticipating and protecting against threats to this data. However, they do not specify a particular protocol, technology, or standard for doing this. Indeed, as cybersecurity threats evolve, HIPAA security technologies must evolve as well. Rather than specifying which encryption protocols were required, a step that would have undermined the law’s effectiveness by tying it to specific technologies, the legislation simply stipulated the strength and reliability of security standards when used to protect ePHI. This was done under the advice of NIST (National Institute of Science and Technology), to make the law more sustainable.
Entities can choose the most appropriate solution for their situation and apply it to their system.
HIPAA requires different encryption software depending on whether data is “at rest” or “in transit.”
At rest: Data is inactive, stored on a hard drive or SSD, or on a device like a tablet. Data should be protected by advanced cryptography, full disk/virtual disk security, and mobile device encryption (if applicable).
In transit: Data actively moves between a sender and a destination, such as via email, transmission to the cloud, or between a server and a mobile device.
HIPAA compliance is made possible by measures such as AES-256, which is almost impossible to force and approved for handling confidential data by the US government. TLS (Transport Layer Security) is another protocol for secure data transmission, such as HTTPS, emails, or instant messages.
It also uses AES-256, combined with other security measures. OpenPGP (Pretty Good Privacy) and S/MIME are also HIPAA compliant but have public key management requirements that many find laborious to use compared to AES-256 and TLS 1.2.
The common recommendation is that secure systems use AES-256 encryption for data at rest, and TLS for data in transit. However, this is not the only security measure. It’s important to identify and mitigate weaknesses in your HIPAA-compliant security.
- Staffing and training (social engineering): It’s cliché but it’s true, humans are the weakest link in cybersecurity, and the health services sector is no exception.
- Lost or Stolen Devices: As previously mentioned, lost laptops, USB drives, phones, or other devices containing ePHI can result in seven-figure payouts.
- Third-Party Partners: Any third-party cloud or IT service provider handling ePHI must have the same commitment to technical security standards as the healthcare provider or service with which it is working.
- Insecure email systems/servers: If anyone in your organization is still using insecure email clients or servers, shut them down.
- Weak encryption: With technological advances in computing, particularly quantum computing, old encryption standards long considered sufficiently secure may be dangerously vulnerable to modern cybercriminals.
- Out-of-date encryption keys and certificates: Encryption keys that are used beyond the NIST-recommended lifespan, or after a data breach, can lead to compromised organizations.
HIPAA’s technical safeguards can be confusing because the encryption requirements are called “addressable.” The wording for encryption of PHI is vague: “…entities must implement a mechanism to encrypt PHI whenever deemed appropriate.”
In this context, “addressable” means that a protective measure or equivalent alternative must be implemented, or that a justifiable reason why the protective measure was not employed must be documented.
For example, internal communications through an internal server protected by a firewall may pose no risk to the integrity of PHI from outside sources. However, communications containing ePHI that leave an entity protected by firewalls must now be processed using an addressable backup.
Entities may only transmit ePHI via email over open networks if that information is adequately protected.
A risk analysis should be carried out to determine the risks to the confidentiality, integrity, and availability of ePHI so that a risk management plan can be designed to reduce these risks to an appropriate level.
Universal message encryption is a common method of risk management, although equivalent levels of protection can be used in place of encryption.
Much like lost or stolen laptops and USB drives, personal mobile devices in the workplace can compromise the integrity of PHI.
About 4 in 5 healthcare professionals use a tablet for workflow management. Banning the use of unencrypted devices in healthcare organizations would cause massive disruption to communication, as well as other aspects of the industry.
Secure messaging platforms offer a possible solution to this problem because they comply with HIPAA encryption requirements by encrypting PHI at rest and in transit.
Communications containing PHI are undecipherable in the event of interception or unauthorized access. Secure email solutions not only meet HIPAA email encryption requirements, but also meet access control, audit control, integrity monitoring, and identity authentication requirements.
This solution is much more useful than pagers because it allows medical information (including images) to be shared securely.
As technology advances and cybercrime becomes more sophisticated, the need to comply with HIPAA and other legislation to preserve patients’ protected health information in transit will only increase.