In part one of "HIPAA, HITECH Act, & Encryption Key Management" I sat down with Patrick Townsend, Founder & CTO, to discuss discuss the increased focus on HIPAA and the HITECH Act and the different types of encryption an organization could use to satisfy these requirements. In part two, Patrick speaks on the benefits of encryption to organization in the health care industry, what the Department of Health and Human Services has to say, and finally how Townsend Security can help meet HIPAA and HITECH requirements for encryption and encryption key management. Here is the second part of our conversation:
Besides protecting patient information, does encryption provide any other benefits to the medical provider?
Yes, there is one particularly big benefit to anybody who is a covered entity, and that has to do with breach notification. There is a breach notification requirement for anybody who loses patient data or thinks that patient data has been stolen from their system. If you read the rules, there is no place where it says you must encrypt patient data – BUT- there is a section that says, if you have a breach, and if you have encrypted your data properly, there is a safe harbor from breach notification. In other words, you don’t have to go through the expensive process of remediating the breach.
So, there is a very, very positive practical benefit to any covered entity from using encryption, which is, if you have a breach, then that encryption will give you a safe harbor, or a way out from some of the more painful parts of breach notification. Under breach notification, that information becomes public. There can be fines levied around the loss of data. Additionally, you must provide assistance to the patients whose information has been breached, which can be quite expensive. In the credit card world, we know that the typical cost of remediating a breach is $214 per record, and now the average cost to an organization for having a breach is around $7 million. So, the use of encryption and proper key management does have a very practical benefit to the covered entity itself in helping them avoid the more difficult and expensive costs of a breach notification.
What does the Department of Health and Human Services have to say about encryption key management?
Again, reading the rules, you will find references to NIST standards and best practices around key management. It takes a lot of drilling down into the NIST best practices documents to really understand key management, but the information is there. If I could boil it down to one really important concept, it is that managing encryption keys is the most important part of your strategy. Protecting the keys is really what you do to protect the data. So, implementing good key management is a core principle. If you read the NIST standards, they talk about separation of duties, dual control, and split knowledge. These are all concepts that have very real world implementations.
Dual control just says that when you are managing keys, you should have two people who must authenticate to manage encryption keys. It makes sense if you want to avoid the potential for collusion around key management. Separation of duties means that the people who manage data, or patient information, should NOT be the people who manage encryption keys.
These are the kind of concepts that auditors and others look for in a key management strategy. In the real world, key management systems are very specialized appliances. We are a vendor of general-purpose encryption key management solutions that implement these kinds of standards. This is really how HIPAA and the HITECH Act approach the question about encryption key management. Again, if you read the IFR’s, which become finalized later this year, they say to use encryption key management that is based on standards, such as NIST.
As a company that provides encryption and key management solutions, can you tell our listeners how these solutions can help them meet HIPAA and HITECH Act requirements?
Traditionally, encryption key management has been the more difficult part of an encryption strategy, which we are now making easy. It can be the most expensive part and most difficult to implement. I think we have done a great job of creating affordable and cost-effective key management solutions, which are FIPS 140-2 certified and work well in a variety of environments across a lot of platforms. So, the first thing that we have done that’s really beneficial in the medical segment, is creating an encryption key management solution that is affordable to customers and that works well with partners who distribute solutions in the medical environment. Our encryption key management solutions really help drive down the cost of doing encryption the right way. Again, the NIST certification on the key manager is important to provably meet the standards called out by the HITECH Act and the rules that they have been promoting.
Secondly, we do provide encryption libraries for customers who need them, so if you need to do AES encryption, for example, which is a NIST standard, we have encryption libraries that are very cost-effective, highly tuned for performance, and will work well in small and large organizations within the medical segment.
Lastly, we have some solutions around secure transfer of data, including PGP encryption and secure transport of data using SSL/TLS technologies. Again, these match well with HIPAA and HITECH Act requirements for encrypting data. I think this broad set of key management and encryption capabilities really help our partners and our customers meet these requirements.
To hear this conversation in it's entirety, download our podcast titled "HIPAA, HITECH Act, and Encryption Key Management."