Healthcare encryption standards
(Last updated on September 26, 2019)
The need for endpoint encryption has skyrocketed with stolen devices making up 45 percent of healthcare data breaches. According to the HIPAA Journal, the loss or theft of unencrypted electronic devices containing electronic protected health information (ePHI) was one of the three main causes of security breaches in healthcare between 2015 and 2017. However, many health organizations still don’t have encryption in place due to the lack of understanding of the requirements from the Health Insurance Portability and Accountability Act (HIPAA).
Why is the healthcare industry interested in encryption? Encryption is the process of converting data into an unreadable format to protect it. Only those that have a decryption key would be able to convert it back to its original form. This simple measure would prevent ePHI from being accessed in the event of loss or theft of an electronic device.
In 2012, Cancer Care Group learned a costly lesson about data protection. A thief obtained a laptop containing personally identifiable information such as names, social security numbers, and insurance information for 55,000 patients. This breach cost the organization $750,000.
In 2017, Children’s Medical Center of Dallas was fined $3.2 million in penalties for failing to implement proper safeguards after a breach of 3,800 patient records were stored on an unencrypted Blackberry device that was lost.
Does HIPAA require encryption?
Even though HIPAA doesn’t make encryption mandatory, the answer is yes – but implicitly. There are two types of implementation specifications: “required” and “addressable.” Those labeled “required” must be implemented in order to be HIPAA compliant. Encryption falls under “addressable” which should be implemented when the covered entity has determined that it is a reasonable and appropriate safeguard for managing ePHI. HIPAA left the specifications around encryption vague to accommodate for future technologies that would offer the same level or better protection than encryption. If your organization decides that encryption is not necessary, you are required to document your rationale behind the decision as well as enacting another safeguard that is equivalent to encryption.
Addressable does not mean optional
Here’s where things get tricky. If your organization ever undergoes a HIPAA audit, the Office for Civil Rights (OCR) will review your documentation and rationale for disregarding encryption. If the OCR doesn’t agree with your decision, you will be fined. And if your organization suffered a breach due to the lack of encryption or equivalent safeguard, you will be subject to fines based on the severity of the violation and your organization’s knowledge of noncompliance. Aside from the financial impact, it can also cause reputation damage.
Breach disclosure requirements – encrypted or not
Under the HIPAA Breach Notification Rule, every breach of unsecured protected health information requires you to provide timely notifications to affected patients, the U.S Department of Health and Human Services (HHS), and the media in cases affecting more than 500 residents of a State or jurisdiction. You will also be joining the OCR wall of fame – a public list of breaches of “unsecured protected health information”, affecting 500 or more individuals.
Unsecured protected health information refers to unencrypted ePHI, but also encrypted data that can be decrypted, rendering the data usable, readable or decipherable to unauthorized persons. Tools used to decrypt data should be stored on a different device or in a different location from the data they are used to encrypt or decrypt. A breach notification is also necessary for a stolen or lost encrypted device where it is possible to decrypt the protected health information on the device.
Rendering PHI unusable
Protecting health information from falling into the hands of unauthorized access is an essential part of the HIPAA requirements. This can be done through encryption of data at rest and data in motion, according to encryption processes outlined by NIST. Hard copy media must be destroyed or shredded so that PHI cannot be reconstructed. Electronic media must also be cleared or destroyed.
Endpoint encryption, or its security equivalent, is essential for healthcare organizations following the HIPAA requirements. Without encryption in place, stolen or lost devices can open the door to a major data breach of protected health information, huge fines, and reputation damage.
Want to get started with device encryption? Start with our Benefits of Full Disk Encryption blog for our implementation tips.