Blog | Townsend Security

HIPAA Safe Harbor Questions and Answers

Written by Luke Probasco | Jul 31, 2012 12:12:00 AM

We have recently seen the medical community step up their level of concern regarding protecting Protected Health Information (PHI).  Aside from just “doing the right thing” there are business reasons attached.  Data breaches are now a regular occurrence and have serious dollars connected to them.  Did you know that data breaches in the healthcare industry have increased 32% in the past year and cost an estimated $6.5 billion annually?  Additionally, breaches aren’t just a result of hackers.  Forty-one percent of healthcare executives attribute data breaches to employee mistakes.  Luckily, there is a safe harbor for breach notification – proper encryption and key management.

We recently held a webinar titled “Protecting PHI and Managing Risk – HIPAA/HITECH Compliance” and received some excellent questions that we would like to share with our blog readers around encryption, key management, and breach notification.

What does the Department of Health and Human Services (HHS) have to say about Encryption and Key Management?

The Department of Health and Human Services (HHS) points to the National Institute of Standards and Technology (NIST) for encryption and key management best practices.  When an organization has a breach, and their encryption and key management isn’t based on industry standards such as those defined by NIST, you can bet they are going to be responsible for a breach notification – averaging $214 per record or $7.2 million per breach.

So when NIST says “This is what we suggest you do,” companies are taking note.  WHEN there is a breach – not IF there is a breach – HHS is going to ask how you were encrypting your data.  Was your encryption based on standards? How were you managing your encryption keys?  Was your encryption a homegrown or proprietary solution? 

NIST suggests using Advanced Encryption Standards (AES) for encrypting data at rest and pairing it with a proper key management as you would find in our  Alliance Key Manager HSM.  With NIST certified encryption and key management, you are provably meeting standards and best practices, and in turn, HHS is more likely to say you are exempt from a breach notification.

We are a medical software vendor.  Are we required to encrypt PHI in our solution?

Software vendors and medical equipment vendors have no mandate requiring them to protect the data, but it is a strong recommendation.  Keep in mind that both end customers and their patients are expecting their data to be protected the right way and they don’t want to find themselves subject to breach notifications.  Implementing proper encryption and key management has become even more important for software vendors as it is becoming a competitive issue.  We are seeing our partners finding success because there are still gaps in terms of who is offering this kind of protection – though everyone should be.  

The other thing to think about, and HHS is quite clear on this issue, is they really want vendors of medical solutions to offer encryption.  Although it is not a mandate yet, companies that currently have solutions in the medical segments should be prepared for encryption and key management to become a requirement in the future.  As we have seen before, things that are strong recommendations today often end up as mandates tomorrow. 

View our webcast “Protecting PHI and Managing Risk – HIPAA/HITECH Compliance” to learn how your organization can manage their risk of a data breach and achieve breach notification safe harbor status.