A Look At Different Approaches To Data Security
By Greg Bengel, contributing writer
To be HIPAA compliant, providers should implement a comprehensive plan that includes data encryption, destruction, and the cloud
Quite understandably, HIPAA regulations have proven to be a huge headache for providers, who struggle mightily to stay compliant. Health IT Outcomes has reported on the hurdles providers face with HIPAA, as well as the time drain associated with becoming compliant.
Much of the buzz surrounding HIPAA focuses on the headache, and doesn’t give much in the way of actionable guidance on how to become compliant. A recent article on Government Health IT tackles one big question on many providers’ minds: “Is encryption required for HIPAA compliancy?”
It would seem that the answer is that no, encryption is not required. However, if data is not encrypted, providers better have some alternative method of securing data. The article explains, “As the law is currently written and interpreted, compliance requires that ePHI be “unusable, unreadable, or indecipherable to unauthorized individuals.” There are two primary means of meeting this requirement: encryption and destruction.”
Of course, that isn’t the end of the story. A strict plan of either encrypting or destroying data is not always necessary. According to the article, “The encrypt-or-destroy mandate on ePHI only applies to data that is stored on a device. If the device is only used to access the data, which exists in some other place (like in the cloud) and neither caches nor stores that data locally, then the device does not need to be encrypted or subject to a ritual cleansing to destroy the data. In this situation, employees could theoretically access ePHI that exists in the cloud from any device so long as they don't download that information to the device.”
In a scenario such as this one, it is imperative that providers can trust employees not to download or store ePHI on unencrypted devices. The article suggests implementing technology that prevents the data from being stored on such devices as an additional measure. After all, even trusted employees make mistakes.
“Nonetheless,” the article says, “all methods are subject to both intent, nefarious or otherwise, to circumvent policy and to human error. Even encryption has its pitfalls, because encryption is only as effective as the security of its authentication. Once a device is authenticated and the data decrypted, it's no longer HIPAA and HITECH compliant the moment unauthorized individuals take a gander at it. The best encryption systems and the longest and most random passwords are no shield to the ever-common habit of writing passwords down.”
The article’s final suggestion is to implement a plan with your IT team, mixing the two methods.
The plan, it says, should acknowledge the reality of employee’s using technology and interacting with ePHI, and should also combine encryption of devices used to store data and destruction.