The HIPAA Security Rule has clear guidance regarding what’s expected for controlling access to electronic protected health information (PHI). As part of the Security Rule’s Technical Safeguard Requirements, Access Control is first on the list and defined as:
“Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights…”
One of the five implementation specifications for Access Control calls for encryption and decryption of PHI. Although it’s “addressable”, meaning that it’s not explicitly required unless risks have been identified, it needs to be in place. A core principle of information security that has been in practice for decades is that of “confidentiality”. In the context of a HIPAA covered entity, business associate, or subcontractor, the only reasonable way to protect PHI is to incorporate access controls into the environment – of which encryption is a proven solution.
Keeping it real: when unfettered access isn’t ideal
Look at many of the big breaches and even the occasional mishaps that remain inside the confines of your business. When a security “event” occurs, it’s almost always someone gaining access to something they shouldn’t have. In terms of healthcare and HIPAA, this could be:
- Gaps in the user onboarding process that allow a nurse with improper user permissions to review the health records of a celebrity who was recently in for treatment
- A criminal hacker sending phishing emails being able to carry out ransomware attacks against local workstations or network shares rendering PHI inaccessible to everyone but himself
- A contract developer who gives himself full EHR system database access to not only write some new system modules but to also be able to remotely access the PHI for ill-gotten gains after the project is complete
- A system administrator performing network troubleshooting who doesn’t realize his packet captures containing cleartext PHI that he’s storing on a network share are open to anyone with a network login
There are endless possibilities for exposing PHI and violating the HIPAA requirements.
The importance of remaining responsive
Being ill-prepared for scenarios such as these leads to a reactive rather than responsive mode of operation. Being reactive means you’re overwhelmed, putting out fires, and are not truly managing the security of your PHI. You’re simply reacting to everything that happens. On the other hand, when you have the proper controls in place to lock down PHI, you can work in a responsive manner, which means you have clear visibility into what’s going on and can address PHI-related security challenges in mature, professional, and decisive ways. This is how you’ll not only achieve – and maintain – HIPAA compliance but also have a more effective information security program overall.
You need to be smart in your approach to controlling access to PHI. Security is complicated enough as it is. Don't simply check the “HIPAA Security Rule Access Control Encryption” checkbox without thinking things through. If you're a HIPAA covered entity or business associate, focus instead on PHI access controls such as encryption from a broader perspective that allows you to be more efficient and systematic in your approach. Just remember the core tenet of time management and well-run information security programs: any time you take on something new, you have to give up something you're currently doing. By implementing the proper encryption and related access controls, you can end up with a much more resilient environment. If you fully know where your PHI is located in both unstructured files and structured databases (locally and in the cloud), understand how it’s currently at risk of improper access and unauthorized use, and implement solid technical controls to keep it in check, you’ll know that you’ve done your part to meet, if not exceed, the HIPAA requirements.
To learn more about access control, and healthcare data security trends in general, please check out the 2017 Thales Data Threat Report – Healthcare Edition. For a pithier synopsis, see this blog from Andy Kicklighter, Thales director of product marketing.
About Kevin Beaver
Kevin Beaver is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta-based Principle Logic, LLC. With over 28 years of experience in the industry, Kevin specializes in performing independent security assessments to help his clients uncheck the boxes that keep creating a false sense of security. He has authored/co-authored 12 books on information security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at through his website at www.principlelogic.com and you can follow him on Twitter at @kevinbeaver.