HIPAA and the HITECH Act have been hot topics lately. Why is that? First, the U.S. Department of Health and Human Services has recently issued guidance stating “unsecure protected health information (PHI)” is essentially any PHI that isn’t encrypted or destroyed. This means that no matter how much technology you throw at securing the data, if it isn’t encrypted, then it isn’t considered secure. The second, and arguably more compelling reason, is that HIPAA-covered entities are required to send notification letters if there is a breach of unsecured PHI. Only using proper encryption grants safe harbor in the event of a breach.
I recently sat down with Patrick Townsend, our Founder & CTO, to discuss HIPAA, the HITECH Act, and encryption key management. Here is part 1 of 2 of his thoughts on this topic:
With HIPAA and the HITECH Act, there seems to be an increased focus on encryption.
Yes, there really is. The technology that everyone looks to for protecting PHI is encryption. So, yes, there is a real focus on encryption. It is important. Everyone who is a covered entity within the definition of HIPAA and the HITECH Act really needs to focus on protecting their patient information. Encryption is specifically called out in the rules for covered entities, whether you are a health provider, an HMO, or any organization that is within that arena of medical delivery.
Are there any specifications on what type of encryption an organization should use?
Yes. The HIPAA and HITECH Act are pretty explicit in providing the standards that are the basis of the approach you should take. If you read the rules, as they are today, which are due to be finalized this year, they point straight to industry standards in terms of the kind of encryption and the techniques you should use to protect data. The basic recommendations, in terms of standards, are to look at the National Institute of Standards and Technology (NIST) for proper ways of doing encryption and key management.
While the regulations aren’t specific in saying “You must use XXX algorithm for your encryption” they say you must base your encryption approach on widely accepted standards. Additionally, they make specific recommendations to NIST for those standards. If you look at the NIST standards, which have been in place for a long time, they publish standards on encryption and key management. The proper encryption for “data at rest” or database files is AES encryption. So patient data, at rest, in any type, is typically protected with AES.
For “data in motion” or data that you are transmitting, like patient claim data or patient information, we have standard protocols. PGP whole file encryption, for example, is a well-accepted mechanism for protecting whole files. It has been FIPS 140-2 certified, which means it is provably based on NIST standards for encryption. Also, using a SSL/TLS connection for protecting data that you transmit over a web site or a web connection is another standard that maps directly to NIST. Customers who base their encryption on those particular technologies will line up with NIST recommendations and best practices, and therefore align up with HIPAA and the HITECH Act.
There is also a set of standards around encryption key management. NIST publishes the best practices standards for encryption key management. You have Special Publication 800-57 and other Special Publications that go together that really talk about key management. And you also have FIPS 140-2 certification. So key management solutions that are FIPS 140-2 certified match up to these regulations.
To summarize, you want to find technologies that are based on standards. Certifications lend credibility to the claim that they are based on standards. Any organization that needs to protect data should look for solutions that have FIPS 140-2 and NIST certifications to indicate they are properly based on standards.
To hear this conversation in it's entirety, download our podcast titled "HIPAA, HITECH Act, and Encryption Key Management."