Since its inception, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule has had one main goal: to ensure that protected health information (PHI) such as names, Social Security numbers, genetic data and the like are adequately protected against security threats. The HIPAA Security Rule revolves around the long-standing security triad of confidentiality, integrity, and availability. In fact, the 18 standards in the original Security Rule that took effect in 2005, combined with the subsequent updates in the HITECH Act in 2009 as well as 2013’s Omnibus Rule, are nothing more than information security best practices in order to keep PHI protected from harm. One Security Rule standard where many organizations stand to gain a lot of benefits is Access Control, which includes the encryption of PHI.
Mitigating Risks and Data Breaches
Encrypting PHI wherever possible and reasonable can be one of the most effective approaches for fine-tuning your HIPAA compliance efforts. The essence of HIPAA Security Rule compliance is finding and implementing the most reasonable process or control to minimize risks that have been identified and prevent breaches. Looking at the US Department of Health and Human Services Office of Civil Rights’ "HIPAA Wall of Shame", there's no doubt that a large portion of these breaches and the negative consequences that came along with them could have been prevented if the PHI had been properly protected with encryption controls. This observation is further supported by the Privacy Rights Clearinghouse’s Chronology of Data Breaches as well as the findings from the various information security studies that come out each year, such as the Verizon Data Breach Investigations Report.
Debunking Encryption Misconceptions and Embracing its Benefits
Generally speaking, "encryption" is often thought of as a complex, often last-ditch, solution for protecting information after all other reasonable security controls are in place. I still hear people talk about how they're afraid to implement encryption because of the presumed overhead it's going to have on system performance. These assumptions are simply not true, especially given today’s computer and network hardware capabilities. Based on my experience, seeing how beneficial a well-run encryption program can be in client environments combined with the advanced technology options for encrypting PHI, there is no good business case for why you shouldn't have it where risks are identified. There’s so much to lose yet so much to be gained in terms of HIPAA compliance such as:
- Encryption can provide safe harbor protections in the event of a PHI breach. This means that you won’t have to send out breach notices to those whose personal records are impacted or report to the Office of Civil Rights as long as a risk analysis shows that the PHI is considered secured, i.e., encrypted.
- PHI is most vulnerable when it’s at rest, i.e., stored in databases and unstructured files on the local network, on mobile devices, or in the cloud. Encryption is one of the best ways to keep this information in check.
- Encryption tools can facilitate workflows and productivity – all without the users ever knowing what’s taking place behind the scenes. Any security technology that can keep users from making security decisions and can help you push your information security and compliance initiatives in a positive direction is worth having.
- Encrypting PHI can help you meet additional HIPAA Security Rule standards involving audit controls, security incident procedures, and security management process.
These benefits will not only help you with HIPAA compliance but also help you to adhere to the requirements of internal security policies and standards, business contracts, and industry/government regulations that require information protection similar to that mandated by HIPAA. Encryption, in and of itself, is not the solution to all of your compliance requirements. However, it’s an integral part of the overall approach to properly securing PHI and can provide numerous compliance payoffs – both tangible and intangible.
For more information on the compliant protection of PHI, please visit the Thales website here.
About Kevin Beaver
Kevin Beaver is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta-based Principle Logic, LLC. With over 28 years of experience in the industry, Kevin specializes in performing independent security assessments to help his clients uncheck the boxes that keep creating a false sense of security. He has authored/co-authored 12 books on information security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at through his website at www.principlelogic.com and you can follow him on Twitter at @kevinbeaver.