Educause Security Discussion mailing list archives
Re: HIPAA Requires Encryption?
From: Faith Mcgrath <faith.mcgrath () YALE EDU>
Date: Fri, 27 Aug 2010 10:25:16 -0400
As part of your risk assessment you may also want to review the HITECH regs on breach notification for unsecured PHI and those specifications for encryption for both data at rest and in motion (and for data destruction). -Faith
_____________________ 45 CFR Parts 160 and 164Breach Notification for Unsecured Protected Health Information; Interim Final Rule
http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf [pg 42742-42743]Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies: (a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key-2 and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard. (i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800-11, Guide to Storage Encryption Technologies for End User Devices.3 4 (ii) Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140Â-2 validated.5 (b) The media on which the PHI is stored or recorded have been destroyed in one of the following ways: (i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction. (ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization,6 such that the PHI cannot be retrieved."
-- Faith McGrath, Compliance Officer Yale University ITS - Information Security faith.mcgrath () yale edu voice: 203.737.4087 security () yale edu || security.yale.edu Ozzie Paez wrote:
Dear Mike, Yours is a very logical approach and I cannot disagree with you technically, however, the regulatory environment has factors, which often drive a decision. When it comes to sensitive personal information such as what we deal with in HIPAA, there is always the issue of liability and its attractive effects on attorneys. In that light, some things are simply expected and when they are not there, the organization’s liability based on perception increases significantly. Explaining to a jury why technically encryption is not necessary takes time and exposes any technical argument to a counter technical argument. In the end, the jury may well throw up its hands and cancel the experts out, which leaves the attorney with the simple question of “How could they justify leaving this data unencrypted just to save a few dollars?” or “Everyone knows that encryption protects privacy and yet they did not care enough to spend a few dollars more to protect my clients’ most private information?” Anyway, my two cents worth is that it is just not worth the risk because encryption has become a kind of expected elixir, which, whether effective or not, affects overall risks and liabilities – Great points in your e-mail though – Ozzie *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *SCHALIP, MICHAEL *Sent:* Thursday, August 26, 2010 9:34 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] HIPAA Requires Encryption? Doesn't the question of "should we encrypt" vs "do we have to encrypt" with ANY kind of data, (HIPAA, or any other) also depend on the state of the data? Is the data "at rest" and other protections are already in place?.....or is the data "in transit" and open? (ie, being e-mailed or copied across WAN links?).....or is the data "in use", and still protected because there's an authorized user monitoring the screen...?? I used to deal with highly sensitive data and for us, it always came down to "....it depends...". Policy always had to come down to the circumstances behind the how, why, where, and when associated with the use of the data....trying to adhere to a "one policy fits all" situation was a losing proposition.... Just my $.02..... M ------------------------------------------------------------------------ *From:* The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ozzie Paez [ozpaez () SPRYNET COM] *Sent:* Thursday, August 26, 2010 9:19 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] HIPAA Requires Encryption? Hey Matthew, HIPAA does not require it, but any reasonable cost estimate will show that it is worth it. The risks and costs of dealing with unencrypted lost data is so much higher that it is a risk not worth taking, particularly if you already have the infrastructure in place. Hope it helps, Ozzie Paez SSE/SAIC 303-332-5363 *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Matthew Link *Sent:* Thursday, August 26, 2010 2:19 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] HIPAA Requires Encryption? Very recently, I inherited the job of focusing information security efforts. In the process of upgrade of a SQL server, a question has arisen regarding the provision in HIPAA (Addressable) to encrypt EPHI at rest on both the server and the backup media. It does come at some additional cost, though it's manageable. Before proceeding, however, I thought I'd ask if anyone has suggestions. Thanks, --Matthew Link. Director, User Services Information Services, UCM 660-543-8063 link () ucmo edu -- This message has been scanned for viruses and dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is believed to be clean.
Save a tree - please consider the environment before printing this email.Please be aware that email communication can be intercepted in transmission or misdirected. Please consider communicating any sensitive information by telephone, fax or mail. The information contained in this message may be privileged and confidential. If you are NOT the intended recipient, please notify the sender immediately and destroy this message. If you wish to confirm the content of this message and/or the identity of the sender please contact me at the phone number given above.
Current thread:
- HIPAA Requires Encryption? Matthew Link (Aug 26)
- Re: HIPAA Requires Encryption? Paul Kendall (Aug 26)
- Re: HIPAA Requires Encryption? Plesco, Todd (Aug 26)
- Re: HIPAA Requires Encryption? Paul Kendall (Aug 26)
- Re: HIPAA Requires Encryption? Ozzie Paez (Aug 26)
- Re: HIPAA Requires Encryption? SCHALIP, MICHAEL (Aug 26)
- Re: HIPAA Requires Encryption? Ozzie Paez (Aug 26)
- Re: HIPAA Requires Encryption? Faith Mcgrath (Aug 27)
- Re: HIPAA Requires Encryption? SCHALIP, MICHAEL (Aug 26)