|
Encryption. It's the techie term on everyone's tongues--or should be, in light of recent government regulations. The Office of Civil Rights (OCR) deemed encryption as the only way to ensure security of personal health information (PHI), whether stored on a laptop or exchanged among providers. Data left unencrypted must be reported in the event of a security breach, and penalties could reach upwards of $1.5 million.
Despite the risks, many health care organizations have yet to implement encryption technology. According to a recent survey by the Ponemon Institute, less than half of health care IT security professionals feel their organization's security measures are "effective." A similar survey by the research firm Trust Catalyst found less than half of IT professionals, including those in the health care field, encrypt tapes, databases or full disks. Cost and complexity were the most common reasons for dismissing encryption, but as HIPAA enforcement looms, facilities may want to give security another look.
"Encryption is really thought of as this complex beast that needs a lot of people and resources," said Alex Zaltsman, CEO of Experior Data Security and Encryption, New York City. "But the reality is if you choose the right partner to outsource to or take the time to look at the solutions out there . . . it's not as hard as it used to be."
Vulnerable Data
According to the OCR, covered entities and business associates are required to protect four types of vulnerable information:
- Data at rest. This can be data stored on desktop computers, laptops, tablet PCs or USB devices.
- Data in motion. Any sensitive information sent through e-mail, fax or other form of exchange.
- Data in use. This covers any open programs, such as when a coder accesses a record for claims data.
- Data disposed. Any files, hard drives, etc., that are no longer of use to the organization, but contain PHI.
The OCR calls for encryption of data at rest and in motion. Data in use, by virtue of the fact information is being immediately accessed, cannot be encrypted, Zaltsman said, so firewalls, mainframe and user authentication are recommended for security. Data disposed can be protected through encryption, but hard-drive cleaning systems and shredding can also guarantee data doesn't fall into the wrong hands.
The Right System
Facilities can opt to encrypt parts of their IT system, but full-disk encryption ensures the organization is covered in the event of a breach. "Temporary files created by various applications, the operating system swap file and hidden partitions may contain sensitive data," said Daniela Crivianu-Gaita, chief information officer at The Hospital for Sick Children, Toronto. "Full-disk encryption is the only approach that assures all the data on the local hard disks is encrypted."
Crivianu-Gaita was exploring encryption options when a security incident arose at the hospital, proving the need for more security. The hospital chose WinMagic's SecureDoc, a HIPAA-compliant, full-disk encryption solution. Now, even their USB keys are encrypted.
Zaltsman advised paying particular attention to tablet PCs, USB drives and Smartphones, which travel beyond hospital walls. "Look at other parts of the network that can be encrypted," he said. "Don't invest money in endpoint solutions that only encrypt one piece of the puzzle; look at a solution that covers all the major areas of where data needs to be secured."
The Right Balance
Systems are typically loaded on the backend, so they're virtually invisible to providers and other authorized users. Still, staff needs to be properly trained on how to deploy the system, Zaltsman said, and that can introduce challenges.
Crivianu-Gaita agreed. "There are many aspects to the security design and implementation, and one of the key aspects sometimes neglected or underestimated is the human factor," she said.
Passwords can undermine a system's effectiveness, especially when users choose codes that are easy to break. "A system that is encrypted with the best and most secure encryption algorithm in the world but has a weak user password clearly does not provide sufficient protection," Crivianu-Gaita explained. "In reality, encrypting a system doesn't make it unbreakable. What it does is make it very difficult for an unauthorized person to get in and access the data."
Organizations also run into problems when the encryption system is loaded as an endpoint solution, so the individual devices are not connected. Without proper configuration, managers have no means to reset passwords, so users who forget theirs find the airtight security working against them. "If an employee leaves or is fired, they will not be able to access that data ever," Zaltsman added. "It's unrecoverable."
He advised choosing a system that has a centralized console, which lets management access information, view audit logs and reset passwords when necessary.
The Right Price
Installation is relatively inexpensive; encryption systems run as low as $125 per computer, according to Zaltsman. It's a fair price for the security it provides--not just technical, but financial. If a theft or breach occurs and data is properly encrypted, the organization is not required to report the incident. On the other hand, when data is left unencrypted, the organization must notify the Department of Health and Human Services. The breach could carry fines of up to $1.5 million, plus damage to the facility's reputation for its oversight. Given those risks, "What's $625 to protect five computers, relative to what else [organizations] spend money on?" Zaltsman noted.
Affordability will become even more valuable as business associates--many of whom have limited budgets--look to encrypt. Under the HITECH Act, business associates are now subject to direct HIPAA enforcement, so large medical transcription service organizations and independent consultants alike will be accountable for security.
Those who don't have the tools or staff to monitor encryption can contract with security or consulting firms to manage the system from afar. It's an additional cost, but it saves small offices from hiring additional staff, Zaltsman noted.
Regardless of how an organization encrypts, the key is making it work for everyone involved. "It's known to all IT security professionals that in the battle of security and usability, it's often usability that wins," Crivianu-Gaita said. "So organizations have to carefully balance usability, security, budgets and priorities."
Cheryl McEvoy is an assistant editor with ADVANCE.
|