Townsend Security Data Privacy Blog

How is Encryption Used to Protect Protected Health Information (PHI)?

Posted by Luke Probasco on Jul 25, 2012 2:36:00 PM

protecting phiTownsend Security recently hosted a webinar titled “Protecting PHI and Managing Risk – HIPAA/HITECH Compliance” that focused on how members of the healthcare industry can achieve a breach notification safe harbor if they are properly encrypting their Protected Health Information (PHI).  PHI can be stored in many different places – from Electronic Medical Records (EMR) in a database to healthcare claims stored on a laptop by a health insurance company.  With fines for data breaches averaging into the millions of dollars, it is more important than ever to protect your PHI.  We received some great questions during the webinar that we would like to share with our blog readers.

How is encryption used to protect PHI?

Encryption solutions are used in a variety of places.  Basically those of us that are encryption vendors tend to think of encryption in two ways.  The first is encryption of data in motion.  For example, if you open a web browser and go to a website that uses HTTPS and the “lock” comes on, you are encrypting your data as it is “in motion.”   Typically, SSL or TLS encryption is being used.  These technologies protect any information that flows between your web browser and that endpoint – making it safe to send PHI like a social security number or medical records online.

Second, we think about securing data at rest.  This typically means data that is in a database. When you go to the doctor and he interviews you and puts his results into the computer, that data is landing in a database and it needs to be protected.  AES encryption and proper key management are necessary to protect this data.

Our database software has encryption options.  Why would we need a third party software?

Lets start with an example.  Encryption is part of the package when you purchase Microsoft SQL Server 2008 Enterprise Edition or Oracle 11g with Advanced Security.  So you might say to yourself, “Why do I need something else if Microsoft offers encryption?”  In these cases, you are sitting in a good place for the cryptographic portion, but still need encryption key management to meet any compliance regulation.

To line up with industry standards for encryption best practices, you need to have dual control and separation of duties.  To do this you need to physically separate the encryption keys from where the protected data lives (Your SQL Server or Oracle database).  It is great when a vendor provides encryption as part of their database software, but it only gets you halfway to where you need to be.  An encryption key management Hardware Security Module (HSM) will bring you in line with best practices for dual control and separation of duties, allow you to pass your audit, and achieve safe harbor status in the event of a breach.

View our webcast “Protecting PHI and Managing Risk – HIPAA/HITECH Compliance” to learn how your organization can manage their risk of a data breach and achieve breach notification safe harbor status.

Click me

Topics: Encryption, PHI, Encryption Key Management, HIPAA

CIOs in Healthcare Still in a Reactive Posture

Posted by Patrick Townsend on Jul 12, 2012 8:50:00 AM

Webinar: Protecting PHI and Managing Risk - HIPAA Compliance

HIPAA Compliance

View our Webinar "Protecting PHI and Managing Risk - HIPAA Compliance"

Click Here to View Webinar Now

The Healthcare industry is still struggling to come to terms with the new HIPAA/HITECH requirements to protect patient health information. There are now clear requirements to protect patient information (called Protected Health Information, or PHI) from loss, and data breach notification is now mandatory, but CIOs in the medical segment have not yet developed pro-active attack plans to secure their data, and are caught by surprise when they experience a data breach - something that is happening at an alarming rate.

Why is this?

I think we can understand this by looking back at the history of the Payment Card Industry rollout of data security standards about 8 years ago. In the early days of PCI DSS compliance, many companies also took a reactive stance regarding the regulations. I heard CIOs say that they thought their data was already safe, that their IT staff assured them that everything was OK, and even that they would only do something if they had a loss and were forced to make changes. I even heard “I’ll pay the fine and do the time if I get caught.”

It took a number of years before CIOs and their executive teams who fell under PCI DSS to come to understand the real impacts of data breaches and developed a pro-active stance around data protection. Companies came to realize that data breach costs went far beyond the initial fines for non-compliance. There are litigation costs, costs for notifications, new external audit requirements that extended years into the future, opportunity costs while valuable staff focused on fixing the problem and not enhancing the business, and a loss of confidence by their customers and partners. Additonally, breaches can create a public relations nightmare for your company and possible long-term damage to the brand. All of these have real impacts on the bottom line.

When companies in the payment industry fully grasped the impacts of a data breach, they went to work pro-actively to protect sensitive data.

The Healthcare industry is not there yet.

What can a CIO do to change their organization’s posture on protecting PHI? Here are some things to start on:

  • Educate senior management on the real costs of a data breach. (This is probably the most important first step - everyone has to buy into the need and the plan).
  • Involve your IT professionals in creating an inventory of PHI every place it resides in your organization.
  • Identify everywhere in your IT systems where you receive PHI from outside sources, and where you send PHI to outside sources.
  • Create a plan to encrypt PHI and protect the encryption keys.
  • Prioritize your projects. There will be low hanging fruit – places where putting encryption in place is relatively fast and painless.
  • Focus on execution. “Are we there yet?”

I know that the Healthcare industry will eventually get to the right posture on data protection. It will take some time before the realities are well known. But as I talk to CIOs at companies who have experienced a data breach, I know that they get it. Hopefully, these painful lessons will seep into the larger industry sooner rather than later, and you won’t be that CIO who wakes up one morning to the unpleasant surprise of a data breach.

Patrick


View our webcast “Protecting PHI and Managing Risk – HIPAA/HITECH Compliance” to learn how your organization can manage their risk of a data breach and achieve breach notification safe harbor status.

Click me

Topics: HITECH, Best Practices, HIPAA, Healthcare

What are HIPAA Encryption Best Practices?

Posted by Paul Taylor on Jul 10, 2012 8:02:00 AM

HIPAAThe Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes and governs national standards for electronic health care transactions.  According to the website of the U.S. Department of Health and Human Services: 

The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information.... The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.  www.hhs.gov

The protections under HIPAA have been expanded by the Health Information Technology for Economic and Clinical Health Act (HITECH).  Again, according to the Department of Health and Human Services:

HITECH requires healthcare organizations to take more responsibility for protecting  patient records and health information. The Act widens the scope of privacy and security protections available under HIPAA, increases potential legal liability for non-compliance and provides more enforcement of HIPAA rules. The HITECH Act seeks to streamline healthcare and reduce costs through the use of health information technology, including the adoption of electronic health records.

HITECH defines a data breach of protected health information (PHI) as any unauthorized use, access or disclosure of PHI that violates the HIPAA Privacy Rule and poses significant financial, reputational or other harmful risks to an individual.

Should SMBs be concerned about a data breach of PHI?  A recent study found that only 5 percent of data breaches are caused by malicious cyber attacks, while almost 55 percent are linked to human error. 

To determine whether a PHI data breach has occurred, HHS looks at various factors, some within your control, some not.  A key question the Department will ask in the event of a data breach is:  Was the PHI safeguarded by encryption?

What level of HIPAA encryption is recommended?  What are the HIPAA encryption best practices?  The key, as the Practice Management Center of the American Medical Association points out, is to "...render electronic personal health information (ePHI) unusable, unreadable or indecipherable to unauthorized individuals...".  If you follow the specific technologies/methodologies prescribed, you increase the likelihood of being relieved of the potentially burdensome and expensive notification requirements established by the HITECH for a data breach.

Best practices for HIPAA encryption include:

  1. Ensuring your encryption is certified by the National Institute of Standards and Technology (NIST). 
  2. Using an encryption key management appliance that is FIPS 140-2 certified. Federal information processing standards codes (FIPS codes) are a standardized set of numeric/alphabetic codes issued by the National Institute of Standards and Technology (NIST).  They are designed to establish uniform identification of geographic entities through all federal government agencies. 
  3. Encrypting any and all systems and individual files containing ePHI including medical records (and related personnel records), scanned images, your practice management systems and any emails that contain ePHI.
  4. Encrypting data that is published on the Internet.  
  5. Encrypting data on your computers, including all laptops.
  6. Encrypting data that leaves your premises.
  7. Encrypting all sessions during which your data was accessed remotely.  This last one requires diligence supervision to ensure that it is followed every single time.  It should become a habit, something each staff member with access offsite does as a matter of course. 

HIPAA encryption protects not only the personal health information of employees and patients from unauthorized disclosure and use, it protects SMBs from the potentially significant costs (i.e., financial, administrative and via damage to the organization's reputation) that result from such disclosure. 

View our webcast “Protecting PHI and Managing Risk – HIPAA/HITECH Compliance” to learn how your organization can manage their risk of a data breach and achieve breach notification safe harbor status.

Click me

Topics: Encryption, Best Practices, HIPAA

HIPAA Security: Healthcare Data Breaches on the Rise

Posted by Paul Taylor on May 29, 2012 9:32:00 AM

HIPAA SecurityIn a highly digitized environment, identity theft poses a great risk if the necessary safeguards are not utilized. It is paramount that businesses and consumers are made aware of the massive repercussions a data breach of patient info can result in--such as identity theft of patients, as well as financial damage to and reputation loss of healthcare organizations. Current HIPAA regulations mandate that if a data breach occurs, then the organization responsible for that breach must reported it to Health and Human Services (HHS), pay thousands or millions of dollars in fines, and may have to report the breach to the media.  However, if your organization’s data is securely encrypted, you will be exempt from these repercussions.

Despite Health Insurance Portability and Accountability Act (HIPAA) security laws, healthcare data breaches are on the rise. According to the Ponemon Institute, the healthcare industry has lost more than $6.5 billion dollars due to data breaches.

Ponemon also identifies the three most common culprits of healthcare data breaches: stolen or lost equipment, third-party mistakes, and employee errors, indicating that many data breaches stem from unintentional mistakes. Storing health information on mobile devices is also a common practice among health care organizations. However, 49% of the respondents reportedly do not take any steps to secure patients' information on those devices.

medicaid breachA great example of an accidental data breach recently took place in South Carolina where a Medicaid employee transferred several spreadsheets of sensitive patient data to a personal email account. This kind of data breach could have exposed hundreds of thousands of patients to possible theft of Social Security numbers, Medicaid ID numbers, addresses, phone numbers, and birthdates.

Another alarming example took place at an Emory Healthcare storage facility where 10 back-up disks for an old computer were found missing. These disks contained protected health information (PHI) of more than 300,000 patients including patients' names, doctors' names, diagnoses, medical procedures and other privileged information protected under HIPAA.

As healthcare organizations face greater challenges in protecting massive amounts of patient data, the US federal government continues to strengthen security laws, regulations, and best practices. Due to the HITECH act of 2009, HIPAA compliances now requires more stringent steps to ensure full security of patient information.

As the CTO, IT Manger or System Administrator of your healthcare company, you have a critical task to accomplish. You cannot afford to waste time and money on legal battles that you can avoid in the first place. If you do experience a data breach, the emotional toll on your patients could result in lost clients and a tarnished company image.

Here is the good news: NIST-certified encryption and FIPS 140-2 certified encryption key management is at your fingertips!  Townsend Security’s encryption solutions offer affordable possibilities that will fully protect your patients' records and allow you to avoid a breach notification in accordance with HIPAA/HITECH. You need a security technology with a strong encryption solution that is NIST certified and suitable to your server environment. If data is securely encrypted, data breaches don’t need to be reported and you and your patients are assured peace of mind.

For more information, download our podcast "Protect PHI and Manage Risk - HIPAA Compliance" and learn more about achieving Safe-Harbor status in the event of a breach and what is considered a data breach.  Additionally, learn what to be aware of when selecting an encryption or key management solution.

Click me

Topics: HIPAA, Healthcare, Data Breach

HIPAA Crack Down - $100,000 Fine to 5 Doctors

Posted by Adam Kleinerman on May 21, 2012 7:23:00 AM
HIPAA Secure Data

The United States Department of Health and Human Services (HHS) is cracking down on HIPAA violators. Now, more than ever, there is just about zero mercy shed on any practice, large or small, if they are discovered to have made an error in patient confidentiality. On April 17, the HHS made an example out of a physician’s office in Phoenix, Arizona. The practice has only five doctors, but despite being what some may call a small business, they must pay the hefty fine of $100,000 for violating HIPAA privacy and security rules. While this sanction may seem unreasonable for such a small practice, it is simply demonstrating the zero tolerance policy that HHS has regarding HIPAA violations.

A complaint was filed against the practice retroactive to discovering an online calendar that the public had access to. On this calendar were patients’ appointment schedules and even a list of scheduled surgeries. After an HHS investigation took place, it was discovered that employees of the firm were grossly misinformed when it came to knowing the rules and regulations of HIPAA. A second red flag was shown when investigating the amount of effort the company put forth on their policy protecting patient information.

While these two violations are most alarming, there were many other conduct errors found including a failure to obtain a legal business associate agreement in reference to scheduling and email services, and there was no report of risk analysis. All of these violations resulted in the aforementioned six-figure fine.

The message sent here is clear: Follow the bylaws of HIPAA, or suffer major financial consequences. Leon Rodriguez, director of the HHS Office of Civil Rights was quoted in saying  “This case is significant because it highlights a multiyear, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules.” He went on to discuss his desire for companies to comply with the changing rules of HIPAA no matter the size or prominence of the practice.

It is imperative to educate yourself and your staff about the current HIPAA rules.  For more information on HIPAA compliance, view our webinar “Protect PHI & Manage Risk – HIPAA/HITECH Compliance” and learn more about managing your risk of a data breach, achieving breach notification safe-harbor status, and encryption and key management best practices.

Click me

Topics: Data Privacy, HIPAA

How Emory Healthcare Could Have Avoided A Data Breach Notification

Posted by Paul Taylor on Apr 23, 2012 10:17:00 AM

Breach Notification Safe-Harbor

PCI Compliance White Paper

Download the white paper "Achieve Safe-Harbor Status from HITECH Act Breach Notification" to learn more about encyption and key management best practices.

Click Here to Download Now

Data breaches in the medical industry are occurring at a greater rate now than ever before. Emory Healthcare recently experienced a significant PHI (Private Health Information) breach and has announced that approximately 315,000 medical records have gone missing.

Included among those records are those of the chief executive officer of the hospital, who has tried to calm public outcry by noting that, to his knowledge, none of the personal information had been used in attempts at identity theft. But the loss is significant because it violates patient privacy rights and could have been prevented if Emory Healthcare was properly encrypting the data.

In total, 10 backup discs for the hospital system have been gone from their storage facilities since mid-February. Within each record was a wealth of information, including patient names, Social Security numbers, and surgical procedures and dates.

Emory has said that it had strong policies in place to protect the personal information of patients. It also attributed the cause of the theft to an honest mistake made by an employee.  However, HIPAA states that an organization is responsible for a breach notification regardless of whether the data was “hacked” or just lost.

As part of their remediation plan, Emory is providing free resources to help patients combat and prevent identity theft. While Emory has said it is revisiting its policies and procedures to better protect patient information, it's unclear if they are making systemic changes that could protect patients even if data is stolen in the future. Regardless of what security measures they take to better protect patient information, the only way Emory -- or any other medical facility -- can guarantee patient information is safe and avoid a breach notification will be to protect it with encryption and key management.

If you are not familiar, AES encryption (the standard for Data at Rest) is a form of data protection that uses an algorithm to transform information in a way that makes it unreadable by other entities. AES encryption that is certified by the National Institute of Standards and Technology (NIST) is used to attain the highest levels of security. Encryption can't be ignored as a security measure.

The second part of the encryption process is managing the encryption key. Only by knowing the encryption key can that information be unlocked and read. When data such as patient information is encrypted with proper key management, it is safe from being compromised by hackers or other entities that steal the information. Without the encryption key, the data is worthless.


With breaches in the healthcare industry up 32% in the last year, it is more important than ever to be encrypting PHI.  Data breaches have dollars lost directly tied to each record lost.  Download our white paper “Achieve Safe-Harbor Status from HIPAA/HITECH Breach Notification” to learn more about how your organization can protect PHI with encryption and key management.

Click me

Topics: Data Privacy, HIPAA, Security News

Are You Gambling with $7.2 Million? Maybe.

Posted by Luke Probasco on Feb 21, 2012 9:00:00 AM

HIPAA HITECH GambleMany people we talk to are gambling with $7.2 million whether they realize it or not.  This week we are at HIMSS12 in Las Vegas meeting members of the IT medical community – an appropriate venue for such high-stakes gambling.  How are these people gambling with so much money?  The average cost of a data breach is $214 per record, or $7.2 million for an organization.  This figure is determined not only by direct costs of a data breach, such as notification and legal defense costs that impact the bottom line for companies, but also indirect costs like lost customer business due to abnormal churn.

Is there a way to make sure you aren’t putting your organization in such risk?  The HITECH Act, the compliance regulation that the medical community is concerned with, says that the only way to avoid a breach notification is through the use of industry standard encryption such as AES, and appropriate encryption key management technologies.  Other compliance regulations (such as PCI DSS) go as far as REQUIRING protecting Personally Identifiable Information (PII) with encryption and key management – not just to receive a breach notification exemption.

Becoming compliant with these regulations doesn’t have to be hard (though it can be).  Townsend Security has made it easy (saving your organization time and money) with NIST-certified AES encryption for all the major enterprise platforms, as well as a FIPS 140-2 certified encryption key management hardware security module (HSM).  For those organizations who are already encrypting but need key management, our encryption key manager can easily work with your existing database (SQL, Oracle, DB2, etc.) to help meet compliance requirements that call for separation of duties and dual control.

Insist on NISTIf you aren’t familiar with NIST and FIPS 140-2 certifications, the National Institute of Standards and Technology (NIST) provides them to encryption and key management solutions after they undergo a rigorous testing process.  The testing is carried out by independent testing labs who then report the results directly to NIST for validation.  Only the most dedicated security vendors are able to pass the tests and achieve NIST and FIPS 140-2 certifications.  Not only are these certifications essential for meeting compliance regulations, but they provide you an ease of mind that a third-party has verified the integrity of the product.

So are you gambling with $7.2 million?  If you aren’t protecting your PII with encryption and key management you might be.  Take the first step for help and call our gambling hotline (800-357-1019) or send us an email.  We’d be glad to help you step away from the table.

Learn more about proper encryption and key management best practices for HIPAA and HITECH Act in our white paper titled "Achieve Safe-Harbor Status from HITECH Act Breach Notification".

Are you an ISV?  Visit our ISV Partner Program page for more information on becoming a partner or download our white paper titled Healthcare ISVs: Critical Issues in Meeting HITECH Data Protection Regulations.

Topics: Compliance, HITECH, HIPAA, Trade Shows

Encrypting & Protecting Medical Data – Some Thoughts Before HIMSS

Posted by Patrick Townsend on Feb 13, 2012 1:00:00 AM

Breach Notification Safe-Harbor

PCI Compliance White Paper

Download the white paper "Achieve Safe-Harbor Status from HITECH Act Breach Notification" to learn more about encyption and key management best practices.

Click Here to Download Now

Anyone who works with software applications in the medical segment is painfully aware of the complexity of patient information.  You mix a lot of personal information about patients, their family, their care givers, diagnostic information, pharmaceuticals, and insurance providers together, and you get a witches brew of data that would make your head spin.

Mix in a rapidly changing regulatory environment and you’ve really got a headache!

Medical organizations and application vendors have a lot on their plates keeping up with all of this, and now with new Electronic Medical Record (EMR) requirements coming into effect, they have to become experts in encryption technologies to protect patient information.

The lights are blinking red; system overload!

We’ve been helping medical organizations meet their data protection requirements with our encryption and key management solutions for several years. Our commitment to industry certifications such as FIPS 140-2 fits well with HIPAA and HITECH Act guidelines on data protection. When you read about NIST recommendations for encryption and key management best practices, we are already there.

Software ISVs who serve the medical industry also need partner-friendly solutions. ISVs need more than just a technical solution. They need someone they can call on to explain data protect best practices, who can assist in the implementation of encryption and key management, and who can help them stay competitive in their markets. The last thing an ISV needs is to integrate some expensive technology into their solutions and then find themselves at a competitive disadvantage. I am proud of our partner program and its focus on making sure our partners are successful both in their technology initiatives, and in their businesses, too.

This will be our first year at the HIMSS conference in Las Vegas, but we are bringing a lot of experience in the medical segment to the show.  I hope you find the show interesting and helpful, and that you come by our booth (#14124).

Click me

Topics: HITECH, HIPAA, Trade Shows

Ouch! – I Guess Encryption Standards Actually Do Matter

Posted by Patrick Townsend on Oct 25, 2011 8:17:00 AM

DOWNLOAD WHITE PAPER

PCI Compliance White Paper

Download the white paper "Achieve Safe-Harbor Status from HITECH Act Breach Notification" to learn more about encyption and key management best practices.

Click Here to Download Now

The recent news of SAIC being dinged for not protecting US military TRICARE medical information with standard AES encryption and suffering a data loss is interesting. While the details are still thin, it appears that the data was encrypted, but not with a standard AES encryption method. The HITECH Act proposed data security rules make specific reference to AES and other NIST standards.

We don’t know which encryption method was used to protect the data. It could have been a home grown method of encryption, or it may have been a widely accepted encryption method that was just not a part of NIST standards. But it apparently doesn’t matter. If you are not using a NIST standard method of encryption, you are in violation of the compliance requirements.

I think it is going to take some time for the implications of this to settle in. Here are some rather unorganized thoughts:

Over the last two years I’ve seen at least FOUR instances of vendor “AES” encryption solutions that actually weren’t AES encryption. In one case, a point-of-sale vendor implemented an AES encryption library with a 256-bit AES block size. The AES standard (FIPS-197) only allows the use of a 128-bit block size.  The company running this software had no idea that they weren’t actually running an industry standard method of encryption.

In another case a customer was running AES encryption with a non-approved mode of encryption. The underlying encryption library was AES, but the mode was not a NIST-approved mode of operation. This was a distinction lost on the company running this “AES” solution. But it seems likely to me that they were out of compliance and at risk in the same way SAIC was. This company is going to have to rip out the current solution and replace it with something that is actually compliant. That seems like such a waste of time and resources.

In one of these cases the software was provided by a “security” vendor. This vendor sells encryption and key management software specifically to meet encryption compliance regulations. That’s very sad.

With the best of intentions and with deep knowledge of encryption protocols, you can still make mistakes when developing an encryption solution. It is hard to get this right. And weak vendors without the commitment and passion to get it right represent a risk to everyone. So, if you are a vendor of encryption solutions, what do you do to insure that you are getting things right? You learn to not trust yourself so much, you invest in independent review of your solutions, and you invest in independent certification. Today we would never release an encryption product without subjecting it to NIST certification and independent review.

If you are a company facing an encryption project, how will you select a security vendor for your encryption libraries and encryption key management solution? How will you know that their AES encryption is really based on the NIST standard? Are you ready to trust the claims of a sales person? I wouldn’t, and I don’t think you should, either. If a security vendor can’t show you a formal NIST AES Validation certificate, or a FIPS-140-2 certification, you should run for the nearest exit. You just have way too much to lose.

If you think that the HITECH Act is unique in its reference to NIST standards, have a look at the proposed Federal Privacy Law (Senate Bill 1151) that passed out of the Senate Judiciary committee last week. It is likely to empower the FTC to propose standards for encryption and encryption key management, and the FTC is likely to look to NIST for these standards.

The writing is on the wall, or rather, it’s on the Internet at www.nist.gov.

Learn more about proper encryption and key management best practices for HIPAA and HITECH Act in our white paper titled "Achieve Safe-Harbor Status from HITECH Act Breach Notification".

Patrick

Click me

 

 

 

 

Topics: Encryption, NIST, HITECH, HIPAA, AES

HIPAA, HITECH Act, & Encryption Key Management Part 2

Posted by Luke Probasco on Oct 20, 2011 8:08:00 AM

In part one of "HIPAA, HITECH Act, & Encryption Key Management" I sat down with Patrick Townsend, Founder & CTO, to discuss discuss the increased focus on HIPAA and the HITECH Act and the different types of encryption an organization could use to satisfy these requirements.  In part two, Patrick speaks on the benefits of encryption to organization in the health care industry, what the Department of Health and Human Services has to say, and finally how Townsend Security can help meet HIPAA and HITECH requirements for encryption and encryption key management.  Here is the second part of our conversation:

hipaa hitech podcast

Download Podcast Now

Besides protecting patient information, does encryption provide any other benefits to the medical provider?

Yes, there is one particularly big benefit to anybody who is a covered entity, and that has to do with breach notification.  There is a breach notification requirement for anybody who loses patient data or thinks that patient data has been stolen from their system.  If you read the rules, there is no place where it says you must encrypt patient data – BUT- there is a section that says, if you have a breach, and if you have encrypted your data properly, there is a safe harbor from breach notification.  In other words, you don’t have to go through the expensive process of remediating the breach. 

So, there is a very, very positive practical benefit to any covered entity from using encryption, which is, if you have a breach, then that encryption will give you a safe harbor, or a way out from some of the more painful parts of breach notification.  Under breach notification, that information becomes public.  There can be fines levied around the loss of data.  Additionally, you must provide assistance to the patients whose information has been breached, which can be quite expensive.  In the credit card world, we know that the typical cost of remediating a breach is $214 per record, and now the average cost to an organization for having a breach is around $7 million.  So, the use of encryption and proper key management does have a very practical benefit to the covered entity itself in helping them avoid the more difficult and expensive costs of a breach notification.

What does the Department of Health and Human Services have to say about encryption key management?

Again, reading the rules, you will find references to NIST standards and best practices around key management.  It takes a lot of drilling down into the NIST best practices documents to really understand key management, but the information is there.  If I could boil it down to one really important concept, it is that managing encryption keys is the most important part of your strategy.  Protecting the keys is really what you do to protect the data.  So, implementing good key management is a core principle.  If you read the NIST standards, they talk about separation of duties, dual control, and split knowledge.  These are all concepts that have very real world implementations.

Dual control just says that when you are managing keys, you should have two people who must authenticate to manage encryption keys.  It makes sense if you want to avoid the potential for collusion around key management.  Separation of duties means that the people who manage data, or patient information, should NOT be the people who manage encryption keys.

These are the kind of concepts that auditors and others look for in a key management strategy.  In the real world, key management systems are very specialized appliances.  We are a vendor of general-purpose encryption key management solutions that implement these kinds of standards.  This is really how HIPAA and the HITECH Act approach the question about encryption key management.  Again, if you read the IFR’s, which become finalized later this year, they say to use encryption key management that is based on standards, such as NIST.

As a company that provides encryption and key management solutions, can you tell our listeners how these solutions can help them meet HIPAA and HITECH Act requirements? 

Traditionally, encryption key management has been the more difficult part of an encryption strategy, which we are now making easy.  It can be the most expensive part and most difficult to implement.  I think we have done a great job of creating affordable and cost-effective key management solutions, which are FIPS 140-2 certified and work well in a variety of environments across a lot of platforms.  So, the first thing that we have done that’s really beneficial in the medical segment, is creating an encryption key management solution that is affordable to customers and that works well with partners who distribute solutions in the medical environment.  Our encryption key management solutions really help drive down the cost of doing encryption the right way.  Again, the NIST certification on the key manager is important to provably meet the standards called out by the HITECH Act and the rules that they have been promoting.

Secondly, we do provide encryption libraries for customers who need them, so if you need to do AES encryption, for example, which is a NIST standard, we have encryption libraries that are very cost-effective, highly tuned for performance, and will work well in small and large organizations within the medical segment.

Lastly, we have some solutions around secure transfer of data, including PGP encryption and secure transport of data using SSL/TLS technologies.  Again, these match well with HIPAA and HITECH Act requirements for encrypting data.  I think this broad set of key management and encryption capabilities really help our partners and our customers meet these requirements.

 

To hear this conversation in it's entirety, download our podcast titled "HIPAA, HITECH Act, and Encryption Key Management."

 

Click me

Topics: Encryption, HITECH, Encryption Key Management, HIPAA