SlideShare a Scribd company logo
MEDICAL DATA
ENCRYPTION 101
Safely Encrypt Your
Protected Health Information
© 2015 SecurityMetrics
White Paper
MEDICAL DATA ENCRYPTION | 1
INTRODUCTION
If an attacker is able to break into a work device,
encryption renders files useless by masking them
into an unusable string of indecipherable char-
acters. From a security standpoint, encryption is
essential to keep your patients’ protected health
information (PHI) safe.
Unencrypted data has been the cause of fines from
the HHS in the event of a breach, as in the cases of
Blue Cross Blue Shield of Tennessee, Massachu-
setts Eye and Ear, and Hospice of North Idaho. These
breaches resulted in thousands of dollars in fines and
the loss of patient trust.
With this danger in mind, HIPAA requires healthcare
entities to “implement a method to encrypt and
decrypt electronic protected health information” in
requirement §164.312(a)(2)(iv). All electronic PHI
that is created, stored or transmitted in systems
and work devices must be encrypted (e.g., mobile
phone, laptop, desktop, flash drive, hard drive, etc.).
MEDICAL DATA ENCRYPTION 101
SAFELY ENCRYPT YOUR PROTECTED HEALTH INFORMATION
ONLY 63% OF HEALTHCARE
ORGANIZATIONS ENCRYPT PHI
ON THEIR WORK DEVICES.*
*SecurityMetrics HIPAA Security Rule Report
MEDICAL DATA ENCRYPTION | 2
WHERE IS YOUR DATA?
In order to properly encrypt PHI, you have to under-
stand how medical data flows within your organi-
zation, especially where PHI is stored and transmit-
ted. To make sure all necessary data is encrypted,
begin with a daigram that documents how your PHI
travels throughout your organization.
YOU NEED TO DOCUMENT WHERE
PHI ENTERS YOUR ENVIRONMENT,
WHAT HAPPENS ONCE PHI ENTERS,
AND HOW PHI EXITS.
ENTRY ENCRYPTION TRANSMISSION STORAGE
MEDICAL DATA ENCRYPTION | 3
PHI ENTRY
Identify everywhere PHI starts or enters your entity.
By doing so, you know exactly where to start with
your encryption practices.
Consider the following questions about where your
electronic PHI enters your environment:
•	 Email: How many computers do you have,
and who can log on to each computer? What
email services are in use?
•	 Texts: How many mobile devices do you own,
and who uses them?
•	 EHR entries: How many staff members do
you have entering in data? Who are they?
From where do they enter the data?
•	 New patient data: How much are patients
required to fill out, and where? Front desk? In
the examination room?
•	 Business associate communications: How do
business associates communicate with you?
•	 Databases: How do you communicate with
patients? What records and data do you enter
into your database?
PHI TRANSMISSION
When PHI leaves your organization, it is your job to
ensure it is transmitted or destroyed in the most
secure way possible. Specifically, you and your
business associate are responsible for how your
business associate handles your PHI.
Here are some things to consider when PHI leaves
your environment:
•	 Business associates: Are you sending
through encrypted transmission? Are they? Is
data sent to them kept at a minimum?
•	 Email: What procedures are in place for how
patients receive data?
•	 Flash drives: What policies are in place?
•	 Trash bins on computers: How often are
these cleared out?
MEDICAL DATA ENCRYPTION | 4
PHI STORAGE
You need to know exactly what happens to PHI after it enters
your environment. Is it automatically stored in your EHR/EMR
system? Is it copied and transferred directly to a specific depart-
ment (e.g., accounting, marketing)?
Additionally, you must record all hardware, software, devices,
systems, and data storage locations that can access PHI. PHI is
commonly stored in the following places:
•	 EHR/EMR systems
•	 Mobile devices
•	 Email
•	 Servers
•	 Workstations
•	 Wireless (networked) medical devices
•	 Laptops
•	 Computers
•	 Calendar software
•	 Operating systems
•	 Applications
•	 Encryption software
After knowing these processes, you should find gaps in your
security and environment, and then properly encrypt all PHI.
MEDICAL DATA ENCRYPTION | 5
AN AUDITOR’S PERSPECTIVE
ENCRYPTION–THE REQUIRED
ADDRESSABLE
Even though the HIPAA regulations indicate that
encryption is an addressable item, the HHS has
made it very clear it’s viewed as required.
Let me tell you what doesn’t count as encryption. I
have run into several healthcare professionals who
showed me their spreadsheets of PHI saying, “See,
I encrypt it when I make the cell smaller and the
numbers change to ‘###’.” Just to be clear, this is
not encryption.
Three common data handling processes that are
often confused: masking, hashing, and encrypting.
Let me break them down for you:
•	 Masking is hiding part of the data from view.
It is still there in clear text, you just can’t see
all of it on the screen. You use this to hide
parts of the patient information not needed
by a specific workforce member.
•	 Hashing is running the data through a
mathematic algorithm to change it into
something indecipherable. You cannot undo a
hashed value to get back to the original data.
Generally, healthcare doesn’t hash PHI. 

•	 Encrypting is similar to hashing because
data is run through a mathematic algorithm;
however, you use an encryption key that has
a paired decrypting key. This way the data
is safely stored and the only way to see the
data is by using the decryption key to unlock
it. The strongest, most common encryption
algorithm is AES-256. Whenever implementing
encryption, always use the strongest
algorithm your system can handle. Remember
that many older algorithms are not acceptable
(e.g., rc4, DES). 
Anywhere PHI is stored you
should have encryption enabled so the data
requires a decryption key to view it. Most
computer systems can automatically handle
encryption if they are properly configured. 

The National Institute of Standards and Technology
(NIST) identifies and judges encryption processes
used for sent information, meaning healthcare or-
ganizations must comply with NIST Special Publi-
cations 800-52, 800-77, 800-113, or others which
are Federal information Processing Standards
(FIPS) 140-2 validated.
Due to the complexity of encryption rules, health-
care organizations often use third parties to ensure
encryption of PHI, partly because organizations are
required to keep the tools for decryption on another
device or location.
–Brand Barney
Security Analyst | HCISPP | CISSP | QSA
MEDICAL DATA ENCRYPTION | 6
ENCRYPTING MOBILE DEVICES
Most mobile encryption services are not as secure
and reliable as other devices because most mobile
devices themselves aren’t equipped with the most
secure encryption.
Mobile technology is only as secure as a device’s
passcode. For example, Apple’s Data Protection
API only encrypts the built-in mail application on
iPhones and iPads, and only after you enable a
passcode. Encryption does not apply to calendars,
contacts, texts, or anything synchronized with
iCloud. Some third party applications that use
Apple’s Data Protection API are also encrypted, but
this is rare.
Although encryption on mobile devices would not
be adequate enough to meet HIPAA best practice
recommendations, there are still other options for
further securing a mobile device. Security best
practice is to develop and implement appropriate
mobile security policies such as:
•	 Mobile password length requirements
•	 Procedure to enable available mobile
encryption on all devices
•	 PHI storage and access procedures
•	 Stolen/lost device procedures
•	 Bring your own device (BYOD) procedures
•	 Noncompliance accountability
MOBILE DEVICES REQUIRE THE SAME
RESTRICTIONS AND ENCRYPTION
PROCESSES AS OTHER WORK DEVICES
LIKE DESKTOP OR LAPTOP COMPUTERS.
MEDICAL DATA ENCRYPTION | 7
ENCRYPTING EMAIL MESSAGES
According to the HHS Breach Portal, over 100 organizations
since 2009 have had PHI stolen because of inadequate email
encryption. Healthcare organizations must “implement a
mechanism to encrypt electronic protected health information
whenever deemed appropriate” in requirement §164.312(e)(2)
(ii), such as when sending unencrypted PHI in unprotected email
services (e.g., Gmail, Outlook, AOL, etc.).
Organizations can send PHI via email, if it is secure and en-
crypted. According to the HHS, “the Security rule does not
expressly prohibit the use of email for sending ePHI. However, the
standards for access control, integrity and transmission security
require covered entities to implement policies and procedures
to restrict access to, protect the integrity of, and guard against
unauthorized access to ePHI.”
Due to the nature of email and the struggles to properly secure it
through encryption, consider avoiding the transmission of PHI via
email whenever possible.
The use of patient portals is preferred for sending information
to patients, and secure file transfer options are preferred for
covered entity to covered entity or covered entity to business
associate communications.
If you are determined to use an Internet-based email service (e.g.,
Gmail, Hotmail, AOL), ensure the service signs a Business Asso-
ciate Agreement (BAA) with you. Understand that a BAA doesn’t
reduce liability. The Omnibus Rule states the covered entity is
still ultimately responsible for protecting that patient data and
ensuring the business associate does their part.
MEDICAL DATA ENCRYPTION | 8
HOW VULNERABLE IS
YOUR PATIENT DATA?
Join over 800,000 organizations and let
SecurityMetrics protect your patient data.
CONSULTING@SECURITYMETRICS.COM
801.705.5656
CONCLUSION
Encryption is vital to protect your patient’s data.
You need to make sure that you adequately map out
where PHI enters your environment, what happens
once PHI enters (and where it is stored), and exits
your environment or organization. Although HIPAA
regulations don’t specify the necessary encryption,
industry best practice would be to use AES-128,
Triple DES, AES-256, or better.

More Related Content

What's hot

HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
data brackets
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
MedSafe
 
mHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsmHealth Security: Stats and Solutions
mHealth Security: Stats and Solutions
Kristie Allison
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
IJNSA Journal
 
Ijnsa050201
Ijnsa050201Ijnsa050201
Ijnsa050201
IJNSA Journal
 
The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?
Stephen Cobb
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Report
tbeckwith
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security:  State of the Art -- NoConName, Barcelona, 2011 Medical Device Security:  State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
shawn_merdinger
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
Stephen Cobb
 
Cyber Risk in Healthcare Industry- Are you Protected?
Cyber Risk in Healthcare Industry- Are you Protected?  Cyber Risk in Healthcare Industry- Are you Protected?
Cyber Risk in Healthcare Industry- Are you Protected?
Mark Merrill
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
Nada G.Youssef
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
7wounders
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.com
PrescottLunt384
 
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisMBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
Charles McNeil
 
IRJET- Data Leak Prevention System: A Survey
IRJET-  	  Data Leak Prevention System: A SurveyIRJET-  	  Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A Survey
IRJET Journal
 
MeHI Privacy & Security Webinar 3.18.15
MeHI Privacy & Security Webinar 3.18.15MeHI Privacy & Security Webinar 3.18.15
MeHI Privacy & Security Webinar 3.18.15
MassEHealth
 
Cyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comCyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.com
PrescottLunt386
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Hybrid Cloud
 
A Survey On Data Leakage Detection
A Survey On Data Leakage DetectionA Survey On Data Leakage Detection
A Survey On Data Leakage Detection
IJERA Editor
 
Securing the Fog
Securing the FogSecuring the Fog

What's hot (20)

HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
 
mHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsmHealth Security: Stats and Solutions
mHealth Security: Stats and Solutions
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
 
Ijnsa050201
Ijnsa050201Ijnsa050201
Ijnsa050201
 
The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Report
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security:  State of the Art -- NoConName, Barcelona, 2011 Medical Device Security:  State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Cyber Risk in Healthcare Industry- Are you Protected?
Cyber Risk in Healthcare Industry- Are you Protected?  Cyber Risk in Healthcare Industry- Are you Protected?
Cyber Risk in Healthcare Industry- Are you Protected?
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.com
 
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk AnalysisMBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
 
IRJET- Data Leak Prevention System: A Survey
IRJET-  	  Data Leak Prevention System: A SurveyIRJET-  	  Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A Survey
 
MeHI Privacy & Security Webinar 3.18.15
MeHI Privacy & Security Webinar 3.18.15MeHI Privacy & Security Webinar 3.18.15
MeHI Privacy & Security Webinar 3.18.15
 
Cyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comCyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.com
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
 
A Survey On Data Leakage Detection
A Survey On Data Leakage DetectionA Survey On Data Leakage Detection
A Survey On Data Leakage Detection
 
Securing the Fog
Securing the FogSecuring the Fog
Securing the Fog
 

Viewers also liked

List of Software tools for encryption
List of Software tools for encryptionList of Software tools for encryption
List of Software tools for encryption
Cliford John Reandino
 
Data protection in windows
Data protection in windowsData protection in windows
Data protection in windows
Vijay Kumar
 
Attacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk EncryptionAttacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk Encryption
Ian Haken
 
Deploying Microsoft BitLocker
Deploying Microsoft BitLockerDeploying Microsoft BitLocker
Deploying Microsoft BitLocker
utahmisfit
 
Latihan9 comp-forensic-bab6
Latihan9 comp-forensic-bab6Latihan9 comp-forensic-bab6
Latihan9 comp-forensic-bab6
sabtolinux
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
SecurityMetrics
 
From zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows system
Nabeel Ahmed
 
Search Engines Presentation
Search Engines PresentationSearch Engines Presentation
Search Engines Presentation
JSCHO9
 

Viewers also liked (8)

List of Software tools for encryption
List of Software tools for encryptionList of Software tools for encryption
List of Software tools for encryption
 
Data protection in windows
Data protection in windowsData protection in windows
Data protection in windows
 
Attacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk EncryptionAttacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk Encryption
 
Deploying Microsoft BitLocker
Deploying Microsoft BitLockerDeploying Microsoft BitLocker
Deploying Microsoft BitLocker
 
Latihan9 comp-forensic-bab6
Latihan9 comp-forensic-bab6Latihan9 comp-forensic-bab6
Latihan9 comp-forensic-bab6
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
 
From zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows system
 
Search Engines Presentation
Search Engines PresentationSearch Engines Presentation
Search Engines Presentation
 

Similar to Medical Data Encryption 101

Healthcare data breach
Healthcare data breachHealthcare data breach
Healthcare data breach
healthsoftware
 
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best PracticesDispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Conference Panel
 
HIPAA Email Compliance & Privacy
HIPAA Email Compliance & PrivacyHIPAA Email Compliance & Privacy
HIPAA Email Compliance & Privacy
appriver
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010
DataMotion
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010
DataMotion
 
10 Things That Compromise Patient Data
10 Things That Compromise Patient Data10 Things That Compromise Patient Data
10 Things That Compromise Patient Data
Texas Medical Liability Trust
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
wlynn1
 
Small actions with big consequences Data Encryption a must do for Medical Pra...
Small actions with big consequences Data Encryption a must do for Medical Pra...Small actions with big consequences Data Encryption a must do for Medical Pra...
Small actions with big consequences Data Encryption a must do for Medical Pra...
CureMD
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 
Constructing a HIPAA-compliant healthcare app from scratch
 Constructing a HIPAA-compliant healthcare app from scratch Constructing a HIPAA-compliant healthcare app from scratch
Constructing a HIPAA-compliant healthcare app from scratch
Techugo
 
Hcc_hipaa hitech training_Basic www.hcctecnologies.com
Hcc_hipaa hitech training_Basic www.hcctecnologies.comHcc_hipaa hitech training_Basic www.hcctecnologies.com
Hcc_hipaa hitech training_Basic www.hcctecnologies.com
ejazmazhar
 
Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...
Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...
Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...
eFax Corporate®
 
Securing Mobile Healthcare Application
Securing Mobile Healthcare ApplicationSecuring Mobile Healthcare Application
Securing Mobile Healthcare Application
CitiusTech
 
EMR Advantages and Adoption Challenges
EMR Advantages and Adoption ChallengesEMR Advantages and Adoption Challenges
EMR Advantages and Adoption Challenges
Dennis Seymour
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118
robint2125
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small Practices
Nisos Health
 
Discussion2
Discussion2 Discussion2
Discussion2
amberlinn
 
telemedicineppt.pptx
telemedicineppt.pptxtelemedicineppt.pptx
telemedicineppt.pptx
RiyaMathur18
 
Benefits of Cloud-Based EHR ppt.pdf
Benefits of Cloud-Based EHR ppt.pdfBenefits of Cloud-Based EHR ppt.pdf
Benefits of Cloud-Based EHR ppt.pdf
EduHealth1
 

Similar to Medical Data Encryption 101 (20)

Healthcare data breach
Healthcare data breachHealthcare data breach
Healthcare data breach
 
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best PracticesDispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
 
HIPAA Email Compliance & Privacy
HIPAA Email Compliance & PrivacyHIPAA Email Compliance & Privacy
HIPAA Email Compliance & Privacy
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010
 
10 Things That Compromise Patient Data
10 Things That Compromise Patient Data10 Things That Compromise Patient Data
10 Things That Compromise Patient Data
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
 
Small actions with big consequences Data Encryption a must do for Medical Pra...
Small actions with big consequences Data Encryption a must do for Medical Pra...Small actions with big consequences Data Encryption a must do for Medical Pra...
Small actions with big consequences Data Encryption a must do for Medical Pra...
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
Constructing a HIPAA-compliant healthcare app from scratch
 Constructing a HIPAA-compliant healthcare app from scratch Constructing a HIPAA-compliant healthcare app from scratch
Constructing a HIPAA-compliant healthcare app from scratch
 
Hcc_hipaa hitech training_Basic www.hcctecnologies.com
Hcc_hipaa hitech training_Basic www.hcctecnologies.comHcc_hipaa hitech training_Basic www.hcctecnologies.com
Hcc_hipaa hitech training_Basic www.hcctecnologies.com
 
Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...
Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...
Protecting ePHI Transmissions in Healthcare - Is your Business Secure? | eFax...
 
Securing Mobile Healthcare Application
Securing Mobile Healthcare ApplicationSecuring Mobile Healthcare Application
Securing Mobile Healthcare Application
 
EMR Advantages and Adoption Challenges
EMR Advantages and Adoption ChallengesEMR Advantages and Adoption Challenges
EMR Advantages and Adoption Challenges
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small Practices
 
Discussion2
Discussion2 Discussion2
Discussion2
 
telemedicineppt.pptx
telemedicineppt.pptxtelemedicineppt.pptx
telemedicineppt.pptx
 
Benefits of Cloud-Based EHR ppt.pdf
Benefits of Cloud-Based EHR ppt.pdfBenefits of Cloud-Based EHR ppt.pdf
Benefits of Cloud-Based EHR ppt.pdf
 

More from SecurityMetrics

Hipaa Reality Check
Hipaa Reality CheckHipaa Reality Check
Hipaa Reality Check
SecurityMetrics
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping Supplement
SecurityMetrics
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
SecurityMetrics
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of Compromise
SecurityMetrics
 
HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored?
SecurityMetrics
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk Analysis
SecurityMetrics
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit
SecurityMetrics
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your Empolyees
SecurityMetrics
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards?
SecurityMetrics
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach
SecurityMetrics
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing Franchisee
SecurityMetrics
 
Auditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptAuditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java Script
SecurityMetrics
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
SecurityMetrics
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless Investigation
SecurityMetrics
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken Malware
SecurityMetrics
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit Cards
SecurityMetrics
 
What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?
SecurityMetrics
 
How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for Business
SecurityMetrics
 
Mobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data CompromiseMobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data Compromise
SecurityMetrics
 
Why Breach Protection Isn't Optional Anymore
Why Breach Protection Isn't Optional AnymoreWhy Breach Protection Isn't Optional Anymore
Why Breach Protection Isn't Optional Anymore
SecurityMetrics
 

More from SecurityMetrics (20)

Hipaa Reality Check
Hipaa Reality CheckHipaa Reality Check
Hipaa Reality Check
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping Supplement
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of Compromise
 
HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored?
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk Analysis
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your Empolyees
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards?
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing Franchisee
 
Auditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptAuditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java Script
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless Investigation
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken Malware
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit Cards
 
What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?
 
How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for Business
 
Mobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data CompromiseMobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data Compromise
 
Why Breach Protection Isn't Optional Anymore
Why Breach Protection Isn't Optional AnymoreWhy Breach Protection Isn't Optional Anymore
Why Breach Protection Isn't Optional Anymore
 

Recently uploaded

EN_Chinese-Automotive-in-SEA-Vero-White-Paper_2023.pdf
EN_Chinese-Automotive-in-SEA-Vero-White-Paper_2023.pdfEN_Chinese-Automotive-in-SEA-Vero-White-Paper_2023.pdf
EN_Chinese-Automotive-in-SEA-Vero-White-Paper_2023.pdf
ivanparu86
 
Solution manual for canadian income taxation 20222023 25th edition by william...
Solution manual for canadian income taxation 20222023 25th edition by william...Solution manual for canadian income taxation 20222023 25th edition by william...
Solution manual for canadian income taxation 20222023 25th edition by william...
stanslausnzuki569
 
Chief Compliance Officer Leadership Vision 2024 Report
Chief Compliance Officer Leadership Vision 2024 ReportChief Compliance Officer Leadership Vision 2024 Report
Chief Compliance Officer Leadership Vision 2024 Report
Compliance Vision
 
The-Three-Pillars-of-Doctoral-Research-What-Why-and-How (1).pptx
The-Three-Pillars-of-Doctoral-Research-What-Why-and-How (1).pptxThe-Three-Pillars-of-Doctoral-Research-What-Why-and-How (1).pptx
The-Three-Pillars-of-Doctoral-Research-What-Why-and-How (1).pptx
Jindal Global University, Sonipat Haryana 131001
 
Path to the next normal collection McKinsey
Path to the next normal collection McKinseyPath to the next normal collection McKinsey
Path to the next normal collection McKinsey
MajIman2
 
Floating Pontoon | Premier marine solution
Floating Pontoon | Premier marine solutionFloating Pontoon | Premier marine solution
Floating Pontoon | Premier marine solution
PMSME
 
How to use lace front wig importance and
How to use lace front wig importance andHow to use lace front wig importance and
How to use lace front wig importance and
kaporej505
 
DPI Playbook for MOSIP MIS framework India
DPI Playbook for MOSIP MIS framework IndiaDPI Playbook for MOSIP MIS framework India
DPI Playbook for MOSIP MIS framework India
Zaheer Parvez
 
Restaurant Chiraz Sindbad Hotel Hammamet
Restaurant Chiraz Sindbad Hotel HammametRestaurant Chiraz Sindbad Hotel Hammamet
Restaurant Chiraz Sindbad Hotel Hammamet
rihabkorbi24
 
Gym business MODEL .pdf .
Gym business MODEL .pdf                 .Gym business MODEL .pdf                 .
Gym business MODEL .pdf .
Divyanshu56740
 
The Importance of Public Relations for New Graduates.pdf
The Importance of Public Relations for New Graduates.pdfThe Importance of Public Relations for New Graduates.pdf
The Importance of Public Relations for New Graduates.pdf
Posh Concepts
 
High Girls Call Nashik 000XX00000 Provide Best And Top Girl Service And No1 i...
High Girls Call Nashik 000XX00000 Provide Best And Top Girl Service And No1 i...High Girls Call Nashik 000XX00000 Provide Best And Top Girl Service And No1 i...
High Girls Call Nashik 000XX00000 Provide Best And Top Girl Service And No1 i...
susmagarg02
 
India's 5 Most Promising E-Mobility Companies 2024.pdf
India's 5 Most Promising E-Mobility Companies  2024.pdfIndia's 5 Most Promising E-Mobility Companies  2024.pdf
India's 5 Most Promising E-Mobility Companies 2024.pdf
insightssuccess2
 
Busty Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Servi...
Busty Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Servi...Busty Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Servi...
Busty Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Servi...
bellared2
 
upGrad_Case_Study_by_Himanshu_Singh.pptx
upGrad_Case_Study_by_Himanshu_Singh.pptxupGrad_Case_Study_by_Himanshu_Singh.pptx
upGrad_Case_Study_by_Himanshu_Singh.pptx
himanshubclubofgsv
 
HiFi Girls Call Surat 000XX00000 Provide Best And Top Girl Service And No1 in...
HiFi Girls Call Surat 000XX00000 Provide Best And Top Girl Service And No1 in...HiFi Girls Call Surat 000XX00000 Provide Best And Top Girl Service And No1 in...
HiFi Girls Call Surat 000XX00000 Provide Best And Top Girl Service And No1 in...
pranjalgarg474
 
Mid America Trucking Show Exhibitor List 2024 - Exhibitors Data
Mid America Trucking Show Exhibitor List 2024 - Exhibitors DataMid America Trucking Show Exhibitor List 2024 - Exhibitors Data
Mid America Trucking Show Exhibitor List 2024 - Exhibitors Data
Exhibitors Data
 
Virtual Production Tool Set and Technologies Redefining Cinema.pdf
Virtual Production Tool Set and Technologies Redefining Cinema.pdfVirtual Production Tool Set and Technologies Redefining Cinema.pdf
Virtual Production Tool Set and Technologies Redefining Cinema.pdf
virtualproduction38
 
20240716_ TJ Communications Credentials.pdf
20240716_ TJ Communications Credentials.pdf20240716_ TJ Communications Credentials.pdf
20240716_ TJ Communications Credentials.pdf
tjcomstrang
 

Recently uploaded (20)

EN_Chinese-Automotive-in-SEA-Vero-White-Paper_2023.pdf
EN_Chinese-Automotive-in-SEA-Vero-White-Paper_2023.pdfEN_Chinese-Automotive-in-SEA-Vero-White-Paper_2023.pdf
EN_Chinese-Automotive-in-SEA-Vero-White-Paper_2023.pdf
 
Solution manual for canadian income taxation 20222023 25th edition by william...
Solution manual for canadian income taxation 20222023 25th edition by william...Solution manual for canadian income taxation 20222023 25th edition by william...
Solution manual for canadian income taxation 20222023 25th edition by william...
 
Chief Compliance Officer Leadership Vision 2024 Report
Chief Compliance Officer Leadership Vision 2024 ReportChief Compliance Officer Leadership Vision 2024 Report
Chief Compliance Officer Leadership Vision 2024 Report
 
DEMO_Aboveground Storage Tank Inspection.pdf
DEMO_Aboveground Storage Tank Inspection.pdfDEMO_Aboveground Storage Tank Inspection.pdf
DEMO_Aboveground Storage Tank Inspection.pdf
 
The-Three-Pillars-of-Doctoral-Research-What-Why-and-How (1).pptx
The-Three-Pillars-of-Doctoral-Research-What-Why-and-How (1).pptxThe-Three-Pillars-of-Doctoral-Research-What-Why-and-How (1).pptx
The-Three-Pillars-of-Doctoral-Research-What-Why-and-How (1).pptx
 
Path to the next normal collection McKinsey
Path to the next normal collection McKinseyPath to the next normal collection McKinsey
Path to the next normal collection McKinsey
 
Floating Pontoon | Premier marine solution
Floating Pontoon | Premier marine solutionFloating Pontoon | Premier marine solution
Floating Pontoon | Premier marine solution
 
How to use lace front wig importance and
How to use lace front wig importance andHow to use lace front wig importance and
How to use lace front wig importance and
 
DPI Playbook for MOSIP MIS framework India
DPI Playbook for MOSIP MIS framework IndiaDPI Playbook for MOSIP MIS framework India
DPI Playbook for MOSIP MIS framework India
 
Restaurant Chiraz Sindbad Hotel Hammamet
Restaurant Chiraz Sindbad Hotel HammametRestaurant Chiraz Sindbad Hotel Hammamet
Restaurant Chiraz Sindbad Hotel Hammamet
 
Gym business MODEL .pdf .
Gym business MODEL .pdf                 .Gym business MODEL .pdf                 .
Gym business MODEL .pdf .
 
The Importance of Public Relations for New Graduates.pdf
The Importance of Public Relations for New Graduates.pdfThe Importance of Public Relations for New Graduates.pdf
The Importance of Public Relations for New Graduates.pdf
 
High Girls Call Nashik 000XX00000 Provide Best And Top Girl Service And No1 i...
High Girls Call Nashik 000XX00000 Provide Best And Top Girl Service And No1 i...High Girls Call Nashik 000XX00000 Provide Best And Top Girl Service And No1 i...
High Girls Call Nashik 000XX00000 Provide Best And Top Girl Service And No1 i...
 
India's 5 Most Promising E-Mobility Companies 2024.pdf
India's 5 Most Promising E-Mobility Companies  2024.pdfIndia's 5 Most Promising E-Mobility Companies  2024.pdf
India's 5 Most Promising E-Mobility Companies 2024.pdf
 
Busty Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Servi...
Busty Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Servi...Busty Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Servi...
Busty Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Servi...
 
upGrad_Case_Study_by_Himanshu_Singh.pptx
upGrad_Case_Study_by_Himanshu_Singh.pptxupGrad_Case_Study_by_Himanshu_Singh.pptx
upGrad_Case_Study_by_Himanshu_Singh.pptx
 
HiFi Girls Call Surat 000XX00000 Provide Best And Top Girl Service And No1 in...
HiFi Girls Call Surat 000XX00000 Provide Best And Top Girl Service And No1 in...HiFi Girls Call Surat 000XX00000 Provide Best And Top Girl Service And No1 in...
HiFi Girls Call Surat 000XX00000 Provide Best And Top Girl Service And No1 in...
 
Mid America Trucking Show Exhibitor List 2024 - Exhibitors Data
Mid America Trucking Show Exhibitor List 2024 - Exhibitors DataMid America Trucking Show Exhibitor List 2024 - Exhibitors Data
Mid America Trucking Show Exhibitor List 2024 - Exhibitors Data
 
Virtual Production Tool Set and Technologies Redefining Cinema.pdf
Virtual Production Tool Set and Technologies Redefining Cinema.pdfVirtual Production Tool Set and Technologies Redefining Cinema.pdf
Virtual Production Tool Set and Technologies Redefining Cinema.pdf
 
20240716_ TJ Communications Credentials.pdf
20240716_ TJ Communications Credentials.pdf20240716_ TJ Communications Credentials.pdf
20240716_ TJ Communications Credentials.pdf
 

Medical Data Encryption 101

  • 1. MEDICAL DATA ENCRYPTION 101 Safely Encrypt Your Protected Health Information © 2015 SecurityMetrics White Paper
  • 2. MEDICAL DATA ENCRYPTION | 1 INTRODUCTION If an attacker is able to break into a work device, encryption renders files useless by masking them into an unusable string of indecipherable char- acters. From a security standpoint, encryption is essential to keep your patients’ protected health information (PHI) safe. Unencrypted data has been the cause of fines from the HHS in the event of a breach, as in the cases of Blue Cross Blue Shield of Tennessee, Massachu- setts Eye and Ear, and Hospice of North Idaho. These breaches resulted in thousands of dollars in fines and the loss of patient trust. With this danger in mind, HIPAA requires healthcare entities to “implement a method to encrypt and decrypt electronic protected health information” in requirement §164.312(a)(2)(iv). All electronic PHI that is created, stored or transmitted in systems and work devices must be encrypted (e.g., mobile phone, laptop, desktop, flash drive, hard drive, etc.). MEDICAL DATA ENCRYPTION 101 SAFELY ENCRYPT YOUR PROTECTED HEALTH INFORMATION ONLY 63% OF HEALTHCARE ORGANIZATIONS ENCRYPT PHI ON THEIR WORK DEVICES.* *SecurityMetrics HIPAA Security Rule Report
  • 3. MEDICAL DATA ENCRYPTION | 2 WHERE IS YOUR DATA? In order to properly encrypt PHI, you have to under- stand how medical data flows within your organi- zation, especially where PHI is stored and transmit- ted. To make sure all necessary data is encrypted, begin with a daigram that documents how your PHI travels throughout your organization. YOU NEED TO DOCUMENT WHERE PHI ENTERS YOUR ENVIRONMENT, WHAT HAPPENS ONCE PHI ENTERS, AND HOW PHI EXITS. ENTRY ENCRYPTION TRANSMISSION STORAGE
  • 4. MEDICAL DATA ENCRYPTION | 3 PHI ENTRY Identify everywhere PHI starts or enters your entity. By doing so, you know exactly where to start with your encryption practices. Consider the following questions about where your electronic PHI enters your environment: • Email: How many computers do you have, and who can log on to each computer? What email services are in use? • Texts: How many mobile devices do you own, and who uses them? • EHR entries: How many staff members do you have entering in data? Who are they? From where do they enter the data? • New patient data: How much are patients required to fill out, and where? Front desk? In the examination room? • Business associate communications: How do business associates communicate with you? • Databases: How do you communicate with patients? What records and data do you enter into your database? PHI TRANSMISSION When PHI leaves your organization, it is your job to ensure it is transmitted or destroyed in the most secure way possible. Specifically, you and your business associate are responsible for how your business associate handles your PHI. Here are some things to consider when PHI leaves your environment: • Business associates: Are you sending through encrypted transmission? Are they? Is data sent to them kept at a minimum? • Email: What procedures are in place for how patients receive data? • Flash drives: What policies are in place? • Trash bins on computers: How often are these cleared out?
  • 5. MEDICAL DATA ENCRYPTION | 4 PHI STORAGE You need to know exactly what happens to PHI after it enters your environment. Is it automatically stored in your EHR/EMR system? Is it copied and transferred directly to a specific depart- ment (e.g., accounting, marketing)? Additionally, you must record all hardware, software, devices, systems, and data storage locations that can access PHI. PHI is commonly stored in the following places: • EHR/EMR systems • Mobile devices • Email • Servers • Workstations • Wireless (networked) medical devices • Laptops • Computers • Calendar software • Operating systems • Applications • Encryption software After knowing these processes, you should find gaps in your security and environment, and then properly encrypt all PHI.
  • 6. MEDICAL DATA ENCRYPTION | 5 AN AUDITOR’S PERSPECTIVE ENCRYPTION–THE REQUIRED ADDRESSABLE Even though the HIPAA regulations indicate that encryption is an addressable item, the HHS has made it very clear it’s viewed as required. Let me tell you what doesn’t count as encryption. I have run into several healthcare professionals who showed me their spreadsheets of PHI saying, “See, I encrypt it when I make the cell smaller and the numbers change to ‘###’.” Just to be clear, this is not encryption. Three common data handling processes that are often confused: masking, hashing, and encrypting. Let me break them down for you: • Masking is hiding part of the data from view. It is still there in clear text, you just can’t see all of it on the screen. You use this to hide parts of the patient information not needed by a specific workforce member. • Hashing is running the data through a mathematic algorithm to change it into something indecipherable. You cannot undo a hashed value to get back to the original data. Generally, healthcare doesn’t hash PHI. 
 • Encrypting is similar to hashing because data is run through a mathematic algorithm; however, you use an encryption key that has a paired decrypting key. This way the data is safely stored and the only way to see the data is by using the decryption key to unlock it. The strongest, most common encryption algorithm is AES-256. Whenever implementing encryption, always use the strongest algorithm your system can handle. Remember that many older algorithms are not acceptable (e.g., rc4, DES). 
Anywhere PHI is stored you should have encryption enabled so the data requires a decryption key to view it. Most computer systems can automatically handle encryption if they are properly configured. 
 The National Institute of Standards and Technology (NIST) identifies and judges encryption processes used for sent information, meaning healthcare or- ganizations must comply with NIST Special Publi- cations 800-52, 800-77, 800-113, or others which are Federal information Processing Standards (FIPS) 140-2 validated. Due to the complexity of encryption rules, health- care organizations often use third parties to ensure encryption of PHI, partly because organizations are required to keep the tools for decryption on another device or location. –Brand Barney Security Analyst | HCISPP | CISSP | QSA
  • 7. MEDICAL DATA ENCRYPTION | 6 ENCRYPTING MOBILE DEVICES Most mobile encryption services are not as secure and reliable as other devices because most mobile devices themselves aren’t equipped with the most secure encryption. Mobile technology is only as secure as a device’s passcode. For example, Apple’s Data Protection API only encrypts the built-in mail application on iPhones and iPads, and only after you enable a passcode. Encryption does not apply to calendars, contacts, texts, or anything synchronized with iCloud. Some third party applications that use Apple’s Data Protection API are also encrypted, but this is rare. Although encryption on mobile devices would not be adequate enough to meet HIPAA best practice recommendations, there are still other options for further securing a mobile device. Security best practice is to develop and implement appropriate mobile security policies such as: • Mobile password length requirements • Procedure to enable available mobile encryption on all devices • PHI storage and access procedures • Stolen/lost device procedures • Bring your own device (BYOD) procedures • Noncompliance accountability MOBILE DEVICES REQUIRE THE SAME RESTRICTIONS AND ENCRYPTION PROCESSES AS OTHER WORK DEVICES LIKE DESKTOP OR LAPTOP COMPUTERS.
  • 8. MEDICAL DATA ENCRYPTION | 7 ENCRYPTING EMAIL MESSAGES According to the HHS Breach Portal, over 100 organizations since 2009 have had PHI stolen because of inadequate email encryption. Healthcare organizations must “implement a mechanism to encrypt electronic protected health information whenever deemed appropriate” in requirement §164.312(e)(2) (ii), such as when sending unencrypted PHI in unprotected email services (e.g., Gmail, Outlook, AOL, etc.). Organizations can send PHI via email, if it is secure and en- crypted. According to the HHS, “the Security rule does not expressly prohibit the use of email for sending ePHI. However, the standards for access control, integrity and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to ePHI.” Due to the nature of email and the struggles to properly secure it through encryption, consider avoiding the transmission of PHI via email whenever possible. The use of patient portals is preferred for sending information to patients, and secure file transfer options are preferred for covered entity to covered entity or covered entity to business associate communications. If you are determined to use an Internet-based email service (e.g., Gmail, Hotmail, AOL), ensure the service signs a Business Asso- ciate Agreement (BAA) with you. Understand that a BAA doesn’t reduce liability. The Omnibus Rule states the covered entity is still ultimately responsible for protecting that patient data and ensuring the business associate does their part.
  • 9. MEDICAL DATA ENCRYPTION | 8 HOW VULNERABLE IS YOUR PATIENT DATA? Join over 800,000 organizations and let SecurityMetrics protect your patient data. CONSULTING@SECURITYMETRICS.COM 801.705.5656 CONCLUSION Encryption is vital to protect your patient’s data. You need to make sure that you adequately map out where PHI enters your environment, what happens once PHI enters (and where it is stored), and exits your environment or organization. Although HIPAA regulations don’t specify the necessary encryption, industry best practice would be to use AES-128, Triple DES, AES-256, or better.