Protecting your Patient’s Privacy –
it’s a necessity for sensitive data like protected health information (PHI).
And yet, HIPAA regulations can seem a bit vague about exactly how should be done. Actually, that’s intentional; HIPAA wasn’t intended to endorse specific technical solutions.
If you think about it, the reasons are understandable; technologies are subject to flux, and the changes often come rapidly. Painting with a broad brush about data protection, therefore, is a way of staying “technology-neutral” as new techniques of protecting data are introduced. However, this does not take away from the importance of HIPAA encryption.
Today, most providers realize that encryption is the technique of choice; HIPAA even states that covered entities (CEs) and their business associates should “implement a mechanism to encrypt PHI whenever deemed appropriate.” The “when appropriate” should include whenever patient data is received by a website, held in storage on a hard drive, or sent by email or text. Disguising it with ciphertext in these circumstances – essentially what encryption does – causes it to be unreadable should it ever fall into the wrong hands.
That said, if you are involved in projects involving patient information in electronic health records (EHR), then it behooves you to know at least the basics of encryption, as well as where and when should it be applied. Patient privacy and well-being are at stake, as well as the potential for significant fines and loss of reputation for your business.
So What Type of Encryption is Best?
Once again, the Office of Civil Rights (OCR) does not prescribe a specific type of encryption to use; however, the National Institute of Standards and Technology (NIST) recommends the use of Advanced Encryption Standard (AES) 128, 192, or 256-bit encryption, OpenPGP, and S/MIME.
One type of encryption that is commonly used for PHI data is known as Symmetric (or “secret key”) Cryptography (as opposed to Asymmetric, or “public key”). Symmetric cryptography is typically used to encrypt hard drives or databases that contain PHI, and employs an algorithm or cipher that involves a single key. The key is like a password and is not computed.
This key is to be shared only with authorized users and applications that need to unlock (decrypt) the data. This is especially important to safeguard, for if the key gets into the wrong hands, the data might be exposed to an unauthorized user. The best practice for symmetric cryptography is typically an AES-256 key.
Asymmetric ciphers, on the other hand, are used when the data is transmitted from one place to another, such as when using HTTPS – currently the protocol of choice for all online activities, including shopping. (The “S” is for SSL protection, using an asymmetric cipher where the public key is in a web browser’s cache (memory), and only the webserver has the private key). An asymmetric cipher involves two keys. One key is for locking the data, and this key can be given to anyone. It is considered public. The other key is private, used for decrypting the data, It should only be used by authorized users or applications.
Asymmetric encryption is perfect for securing sensitive data that is being transported from a user’s web browser to a webserver since the keys are derived by an algorithm or cipher. The asymmetric key is much longer and more complex than a symmetric key, which is simply made up. And because the public key can be distributed “safely” to anyone, it is considered a superior method of encryption whenever the widespread distribution of keys is involved. Best practices dictate using asymmetric ciphers, typically RSA with a 2048 bit key.
Use this table to help you recall what encryption type and strength to use:
|Hard disk (files) or Database||Symmetric Cipher||AES-256|
|Transporting data (HTTPS)||Asymmetric Cipher||RSA 2048 bit Key|
As noted, the length of the key is important. A longer key is more secure than a shorter one; therefore, a 1024 bit key is not as secure as a 2048 bit key. And neither is an AES-128 bit key as secure as an AES-256 key.
In conclusion, HIPAA encryption is an important means of protecting sensitive data – necessary to remain compliant with HIPAA regulations. If you are involved in working with electronically protected health information, then knowing what type and strength of HIPAA encryption to use in different circumstances is vital to maintaining the appropriate protections.