The health care industry has seen more HIPAA settlements in 2016, typically in seven figures, than in any previous year. The industry has also experienced very significant cyberattacks. Cyberattacks are a healthcare epidemic with over 100 million healthcare records already compromised.
High Business Risk
Earlier this year, the industry saw the first settlement of a data breach class-action lawsuit that cost the entity up to $28 million. The information — 31,800 patient records — was not encrypted, and not appropriately secured. Risk assessment and risk management were not done appropriately. The payout was $242 to each impacted patient. And on October 18, 2016, this same entity was fined $2.14 million for having a lack of appropriate security safeguards. The signature on the HIPAA settlement agreement with the Office for Civil Rights (OCR), the entity responsible for enforcing HIPAA, is that of the CEO of the entity fined. Cybersecurity must be a health care CEO priority in 2016 and beyond.
What are the HIPAA & HITECH Encryption Mandates?
The HIPAA Security Rule includes two addressable implementation specifications related to encryption.
1. Encryption & Decryption (A) §164.312 (a) (2) (iv) (Access Control Standard): Implement a mechanism to encrypt & decrypt Protected Health Information (PHI)
2. Encryption (A) §164.312 (e) (2) (ii) (Transmission Security Standard): Implement a mechanism to encrypt Electronic Protected Health Information (EPHI) when deemed appropriate
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI.
Unsecured PHI essentially refers to PHI that has not been encrypted. If a healthcare asset, such as a database server, information on a mobile device or data in the cloud gets hacked, but the information was appropriately encrypted, the organization would not be required to report this breach. This is not an insignificant reduction in risk to the business.
Get Started With an Enterprise Encryption Policy
Every healthcare organization must develop an enterprise encryption policy that establishes the foundation for a disciplined implementation across several potential attack surfaces. The encryption policy should address requirements for encryption algorithm and key bit strength. The data at rest and data in motion areas that need to be reviewed for credible implementation of encryption capabilities across the enterprise include:
• Database servers
• PII/EPHI on cloud provider systems
• Backup media
• Multifunctional printers/copiers
• USB devices
• Text messages
• Remote access
Further, such policy must clearly state the scope to apply to all assets, including systems, networks and applications, as well as all facilities (including cloud providers), which process, store, transmit, or maintain sensitive information.
An example of actual language in an encryption policy for a health care entity to address transmission of data across open, public networks or the wireless infrastructure, may include:
• All encryption mechanisms implemented to comply with this policy must support a minimum of, but not limited to, 128-bit encryption.
• When transmitting EPHI electronically, regardless of the transmission system being used, users must take reasonable precautions to ensure that the receiving party is who they claim to be and has a legitimate need for the information requested.
• If the EPHI being transmitted is not to be used for treatment, payment or health care operations, only the minimum required amount of PHI should be transmitted.
Regulatory mandates such as HIPAA and HITECH, as well as state breach notification requirements, raise the priority for organizations to implement encryption capabilities across personally identifiable information (PII) at rest and PII in motion (transmission). Ensure your organization has standardized on a vendor/product solution to encrypt mobile devices such as laptops and tablets, and deployed a Mobile Device Management (MDM) solution for smartphones.
For desktops, entities are increasingly looking at thin clients to eliminate the risk of PII on desktops. Backup media must be encrypted as well. Finally, ensure that databases and applications are closely reviewed so that any associated PII is encrypted – the standards typically implemented are Advanced Encryption System (AES) and a minimal key strength of 128 bits, preferably 256 bits.
So as you look to your cyber security priorities for 2017, three words should guide your action: encrypt, encrypt and — yes — encrypt!
This article originally appeared in the November 2016 issue of Workflow.
Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), Security+, is chief executive of ecfirst, a Konica Minolta HIPAA Consulting Partner.