To get started, click accept below to bring up the cookies management panel. Next, tap or click on the Personalization button to turn on the chat feature, then Save.
If you are involved in data security for healthcare organisations, one thing you may be wondering is why regulations and legal liability play such an important role in influencing the data-in-transit technologies your organisation opts for. One of the biggest stress factors around IT for the healthcare sector is the importance of compliance with data security regulations such as the US Healthcare Insurance Portability and Accountability Act (better known as HIPAA).
HIPAA has three foundational rules to protect patients and their information:
Privacy rule: protected health information and documentation
Breach notification rule: how organisations report security breaches to authorities and patients
Security rule: establishes security standards for the storage and transmission of protected health information (PHI)
These rules ensure that organisations bear responsibility for ePHI (electronic PHI) confidentiality and security, as well as anticipating and protecting against threats to that data. However, they do not specify a particular protocol, technology or standard for doing so. This is because as cybersecurity threats evolve, so too must HIPAA security technologies. Rather than specify which encryption protocols were necessary, a step which would have undermined the efficacy of the law by tying it to specific technologies, the legislation simply stipulated the strength and reliability of security standards when used to protect ePHI. This was done under the advice of NIST (the National Institute of Science and Technology), so as to render the law more future-proof. Entities can choose the most appropriate solution for their circumstances and apply it to their system.
HIPAA requires different things of encryption software depending on whether it’s ‘at rest’ or ‘in transit’.
At rest: data is inactive, stored on a hard drive or SSD, or on a device like a tablet. Data should be protected by advanced cryptography, full-disk/virtual disk security and mobile device encryption (where applicable).
In transit: actively moving between a sender and destination, such as via email, transmitting to cloud or between a server and a mobile device.
HIPAA compliance is made possible by measures such as AES-256, which is nearly impossible to brute force and approved for confidential data handling by the US government. TLS (Transport Layer Security) is another protocol for secure data transmission, such as HTTPS, email or IMs. It also uses AES-256, combined with other security measures. OpenPGP (Pretty Good Privacy) and S/MIME also comply with HIPAA but have public key management requirements that many find laborious to use in comparison to AES-256 and TLS 1.2.
The common recommendation is that secure systems use AES-256 encryption for data at rest and TLS for data-in-transit. However, this is not the be-all and end-all of your security measures. It is important to identify and mitigate weaknesses in your HIPAA-compliant security.
Staff and training (social engineering): it’s clichéd because it’s true – humans are the weakest link in cybersecurity, and it’s no different in the healthcare industry
Lost or stolen devices: as previously mentioned, lost laptops, flash drives, phones or other devices containing ePHI can necessitate seven-figure payouts
Third-party partners: any third-party cloud or IT vendor handling ePHI must have the same dedication to technical security standards as the healthcare provider or service they work with
Unsecured email systems/servers: if anyone in your organisation still uses unsecured email clients or servers, shut them down
Weak encryption: breakthroughs in computer technology, especially quantum computing, mean that old encryption standards long-thought sufficiently secure may in fact be dangerously porous to modern cybercriminals
Stagnating encryption keys and certificates: encryption keys that are used beyond the lifespan recommended by NIST, or after a data breach, can open organisations up to compromise
HIPAA’s technical safeguards can be confusing because the encryption requirements are called ‘addressable’. The wording for encryption of PHI is vague: “…entities should implement a mechanism to encrypt PHI whenever deemed appropriate”.
In this context, ‘addressable’ means a safeguard or equivalent alternative should be implemented, or else a justifiable reason for why the safeguard was not employed must be documented. For example, internal comms via an internal server protected by a firewall may present no risk to PHI integrity from outside sources. However, communication containing ePHI that leaves an entity protected by firewalls must now be dealt with using an addressable safeguard.
Entities can only transmit ePHI via email over open networks if that information is adequately protected. A risk analysis should be taken to find the risks to the confidentiality, integrity and availability of ePHI, so that a risk management plan can be devised to reduce those risks to an appropriate level.
Universal encryption for messages is a common method of risk management, though levels of protection that are equivalent can be used in place of encryption.
As well as lost or stolen laptops and flash drives, personal mobile devices in the workplace can undermine PHI integrity. Around 4 in 5 healthcare professionals use a tablet for workflow management. Forbidding the use of unencrypted devices in healthcare organisations would cause massive disruption to communication and other aspects of the healthcare industry besides.
Secure messaging platforms offer a possible solution to this problem, as they comply with HIPAA encryption requirements by encrypting PHI both at rest and in transit. Communications containing PHI are undecipherable if intercepted or accessed without authorisation. Secure messaging solutions not only meet HIPAA email encryption requirements, but also requirements for access control, audit controls, integrity controls and ID authentication. This solution is much more useful than pagers, allowing medical information (including images) to be shared securely.
As technology marches on and cybercrime grows more sophisticated, the need for regulatory compliance with HIPAA and other legislation to protect patients’ protected health information in transit will only become more stark.
#KingstonIsWithYou
Ask an Expert
Planning the right solution requires an understanding of your project’s security goals. Let Kingston’s experts guide you.
The importance of organisations to consider Revenue, Profit & Risk as equal in organisations to ensure they mitigate data security & cyber security risks. Read this article from Industry Expert, Bill Mew & he will provide you with an insight on this topic.
What strategies can organisations use to best secure customers data in a post-GDPR world with the ever-evolving nature of cyber security threats? Kingston pooled the knowledge of some of the UK’s most experienced commentators in cyber security to discuss how data protection has changed since the introduction of GDPR.
You already know that remote working is a business enabler. But the challenges posed to your network security and compliance with GDPR are too big to ignore.
Heathrow Airport in London (30 October 2017) uses unencrypted USB drives for its non-cloud storage. Unfortunately, it was not standardized on encrypted USB drives.
