Should health data encryption be mandatory instead of loosely guided by a set of addressable bullet points? Lets take a closer look at what health data encryption is, why it is beneficial, and what questions you should be asking vendors who are required to use it.
In the wake of large scale healthcare breaches like Anthem, Inc and Blue Cross encryption of data is becoming an increasingly important issue. The HIPAA Omnibus Rule did a lot to improve individual rights to health information, protect patient privacy, and strengthened the governments ability to enforce the law. However, encryption is still considered something “addressable” as opposed to being a required part of HIPAA.
Over 90 million American are at potential risk of having their information compromised and exposed. In an increasingly digital world you may be wondering if enough is actually being done by your contracted technology vendors to keep data safe. Should health data encryption be mandatory instead of loosely guided by a set of addressable bullet points? Lets take a closer look at what health data encryption is, why it is beneficial, and what questions you should be asking vendors who are required to use it.
What is encryption?
Encryption is when data is converted from it’s original form of information into encoded text. Essentially, when encryption is used for healthcare the data is unreadable unless an individual has the necessary key or code to decrypt it. This is a surefire way for electronic PHI (ePHI) to remain secure and protect from hacks and unauthorized attempts to translate data for personal and hazardous use.
In relation to HIPAA and the HIPAA Security Rule, data encryption is a method deployed to protect PHI. According to the Department of Health & Human Services, the Security Rule was designed to protect all data that “a covered entity creates, receives, maintains, or transmits in electronic form.”
Is Encryption Beneficial?
Theft and unauthorized access to devices accounts for over 60% of healthcare data breaches. This also includes incidents that involve PHI. If a laptop or smartphone was stolen or accidently forgotten it can fall into the hands of the wrong individual. That individual could potentially cause major damage if they were able to easily access medical and financial information. However, if this unauthorized user was unable to read the information on the devices, then massive data breach could be avoided.
Health data encryption can be a very important step in making sure the ladder becomes the ideal situation. However, encryption alone is not enough to fully protect sensitive information. For example, malware could breakthrough a covered entity’s database security. From there, hackers could gain access to information, including PHI. If an employee’s login credentials were stolen, an unauthorized user can gain access this way. In both these examples, it wouldn’t matter if the data was fully encrypted. What matters is internal protocols and how employees are trained.
It is also important to know whether a vendor is encrypting data at rest or in motion. An example here is using a virtual private network (VPN) or secure browser connection. These measures can be helpful for protecting data in motion. There is also Transport Layer Security (TLS) that can work to protect in motion data. This protocol ensures that are mechanisms in place to protect and provide authentication, confidentiality, and integrity of sensitive data while it is being electronically transmitted – think web faxing, text messaging, and email sending.
Overall, there are multiple safeguards that need to be in place to fully secure and protect data and encryption should always be part of the package. Health data encryption is an extremely beneficial security, but it must be working with other administrative and physical safeguards to be fully accountable.
Is Encryption Required?
According to HIPAA, encrypting health data is “addressable” but not “required”. However, that does not mean that technology vendors should ignore health data encryption. Healthcare organizations must determine which privacy and security measures will benefit its workflow. Here at RingRx, we can guarantee that encryption will be part of those measures. Ask yourself these questions to help address whether encryption is appropriate:
- What encryption and decryption mechanisms are reasonable and appropriate to implement to prevent access to ePHI by persons or software programs that have not been granted access rights?
To the extent above, healthcare organizations should also be asking themselves who is accessing data and how they might be doing so. For example, if a hospital has a BYOD policy, employees may be accessing ePHI though their phone and mobile data encryption would be extremely appropriate.
It remains unknown whether HIPAA will change their compliance measures and make encryption mandatory. Until then, you should operate with a “better safe than sorry” mindset when it comes to protecting health information and data of patients. Data breaches and hack attempts are never going to stop happening, so it is important that healthcare providers remain diligent in making sure the technology platforms being used remain as secure as possible.
RingRx is a fully encrypted (at rest and in motion) and fully HIPAA complaint. If your practice is looking to streamline communication processes and calendar management our phone solution can help. We offer a signed BAA upon start of service and plans start as low as $15 per month. Click here to start your free trial.