HIPAA Compliant Technology and the Importance of Encryption

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/hipaa-compliant-technology-and-the-impor-84744/

The Health Insurance Portability and Accountability Act (HIPAA) sets the
standard for protecting sensitive patient data. This means that any covered
entity (CE) or business associate (BA) that deals with protected health
information (PHI) must ensure that all the required physical, network, and
process security measures are in place and followed. The HIPAA Privacy Rule
addresses the storage, accessing and sharing of PHI, whereas the HIPAA
Security Rule outlines the security standards which protect health data
created, received, maintained or transmitted electronically; known as
electronic protected health information (ePHI).

The Health Information Technology for Economic and Clinical Health (HITECH)
Act was passed as a supplemental act in 2009, and was formed in response to
the improvements and increase in health technology development, and the
increased use of ePHI.  Transmission Security is required of HIPAA
compliant hosts to protect against unauthorized public access of ePHI;
however, both authentication and encryption are stated to be addressable,
rather than required. This concerns all methods of transmitting data,
whether it be email, Internet, or even over a private network, such as a
private cloud.

Confusion around some of the items classified as addressable within these
technical standards, especially around encryption, increases the risk of
fines for organizations that choose not to address these standards. Fines
are very likely to be handed to organizations should they experience a data
breach as a result of not using encryption, even if a risk assessment is in
place. Encryption is expected to be one of the key areas OCR focus on when
conducting phase 2 HIPAA audits later this year.

Using Technology to Comply with HIPAA

Mechanisms exist to meet the requirements of the HIPAA safeguards, starting
with use of a HIPAA compliant network hosting provider.  HIPAA compliant
networks must have robust firewalls in place to protect an organization’s
network from hackers or data thieves. Secure platforms are required for all
organizations that transmit ePHI. These platforms should deploy encryption
when transmitting ePHI, and have administrative controls to safeguard the
integrity of ePHI. These platforms should also have the capacity to retract
messages in the event of a breach risk and be able to remotely remove a
mobile device from the system if it is lost by its owner, stolen or
otherwise disposed of. In addition to this, all devices used to store or
transmit ePHI, such as laptops and mobile devices, should be password
protected and encrypted.

The Ramifications of Failing to Encrypt

Since 2012, the U.S. Department of Health and Human Services (HHS) has
issued large monetary fines for violations of the HIPAA Privacy Rule
following the introduction of HITECH. Some of its biggest fines have been
due to lost or stolen laptops which were unencrypted.  In April
2014,Concentra Health Services were fined $1,725,220 to settle HIPAA
Privacy violations which occurred after an unencrypted laptop was stolen
from one its offices.  Some organizations may wronglyconclude that
encryption is technically not required in all cases under the HIPAA
Security Rule, as it is an “addressable” standard under HIPAA, meaning that
it is required only where reasonable and appropriate based on a risk
assessment.  However, these fines raise the question of how encryption of
mobile devices containing ePHI is viewed. It is clear from the Concentra
Health Service settlement that conducting risk assessments is not enough to
avoid penalties under HIPAA. Rather, the risks identified in the assessment
must be addressed completely and consistently.  Using encryption of ePHI
during transmission is another important consideration organizations need
to assess when completing risk assessments. When transmitting data between
devices, it is crucial that organizations select a vendor that is HIPAA
compliant – without doing so, there is potential to expose organizations to
enormous risk of data breaches.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!