In the pre-digital age, the technical means of protecting medical data amounted to little more than a locked file cabinet and a secure office door.
These security measures were generally adequate for keeping patient files safe – at least until a fire broke out, or a thief walked off with the filing cabinet.
But if the “good old days” of paper and film records seem like a panacea, the truth is they remain a liability. In fact, based on a data breach study in the American Journal of Managed Care of the years 2009-2016,
Hospitals comprised roughly one-third of all healthcare breaches… Paper and film-based records, rather than electronic records, comprised 65 percent of hospital data breaches. Network servers were the least common location of breached data, although their breaches affected the greatest number of patients.
In other words, data breaches happen no matter what form health records may take.
In our increasingly connected world, maintaining the “CIA” of HIPAA data (confidentiality, integrity, and availability) may seem light years removed from simple locked doors and cabinets – and it is. Still, security is an ongoing task that requires constant vigilance and adaptation.
A HIPAA-compliant hosting provider with proven data security expertise is now critical to maintaining ePHI, as opportunistic hackers continue to exploit medical data for illicit gain.
Tangible Harm from Data Loss
We’ll talk about the technical expertise in a moment; first, we should remind ourselves why this all matters, and the very real harm – in 4 tangible aspects – that can come if your data is actually lost or stolen:
The disclosure of personal information may cause intrinsic harm simply because that private information is known by others. Another potential danger is economic harm. Individuals could lose their job, health insurance, or housing if the wrong type of information becomes public knowledge.
Individuals could also experience social or psychological harm. For example, the disclosure that an individual is infected with HIV or another type of sexually transmitted infection can cause social isolation and/or other psychologically harmful results. Finally, security breaches could put individuals in danger of identity theft.
– from Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research.
Health privacy for digital information, therefore, requires a method for disguising sensitive medical data to be “unusable, unreadable, or indecipherable to unauthorized individuals.”
To ensure that the data is not decrypted using traditional vectors of attack, HIPAA mandates that private key/certificate authentication be used. This is considered to be the most secure form of data security and is even used by security agencies.
While encryption is an industry-standard for securing data, understand that it’s still only a baseline for protection.
In fact, encryption is just one aspect of the HIPAA Security Rule, which mandates several distinct technical safeguards. These technical safeguards are combined with the physical security of computer systems that store protected health information in order to achieve HIPAA Compliance and include:
1. Access controls – These controls refer to data that must be password-protected and limited to authorized users only – step one in any form of IT security.
There are four implementation specifications under access controls that should also be clarified:
- Unique User Identification (Required)
- Emergency Access Procedure (Required)
- Automatic Logoff (Addressable)
- Encryption and Decryption (Addressable)
2. Audit controls – Audit controls apply to the hardware, software, and procedural methods used to keep track of who accesses what data when, and allow you to track the course of a user’s tasks.
3. Integrity controls – Maintaining data integrity refers to the controls needed to keep data private and unaltered; it requires keeping encrypted backups and creating a system to verify data integrity.
4. Transmission security – Maintaining transmission security refers to all data transfers that must be encrypted. Without encryption, the data would be in plain text and readable by anyone who happens to see it.
Protecting the 3 Phases of Digital Data
Like the 3 states of water we learned about in high school – solid ice, liquid, and gas – there are three “states” or phases of digital data that require protection: data-at-rest (in storage), data-in-transit, and data-in-use.
Phase 1: Data at Rest
Inactive ePHI data stored physically (e.g. databases, backups, spreadsheets, etc) is often a treasure trove for hackers, since it typically contains comprehensive lists (often with social security numbers, credit card information) rather than the data of a single patient that might be stolen in transit.
Advanced Encryption Standard (AES) is the industry-standard encryption algorithm used. Cipher strength is 256-bit (AES-256).
Phase 2: Data in Motion (aka Data in Transit)
Data that traverses through a network, traveling from one point to another. RSA is the industry-standard algorithm used. Cipher strength is 2048-bit.
Phase 3: Data in Use
Active data under constant change (e.g. database transactions, memory allocation, data vault, etc). AES-256 is also used as the industry standard encryption algorithm.
Note: Protecting data in all 3 phases (or throughout the data cycle) is typically referred to as “end-to-end encryption.” This means decryption will only be on the recipient’s device, not on the server.
As described above, these are the baselines of HIPAA Compliance. This process of securing sensitive medical information can become a daunting task with many different facets, completely dependent on the scenario in which it is being applied.
Using encryption and all the technical safeguards to properly secure HIPAA data is therefore of the utmost importance for compliance. For a helpful listing of the applicable security standards with practical questions for your business, see the HIPAA Security Series.
Finding the right HIPAA Compliant Hosting Provider is also vital for this need. If you have any questions on HIPAA data security or any of the services we provide, please contact us! 760-290-3460.
HIPAA Vault is a low-cost leader of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities.