Data encryption is crucial for medical practices to protect patient health information (PHI) stored electronically, just as locks are needed to secure valuables. Without encryption, PHI on portable devices and emails is vulnerable if stolen or accessed without permission. A survey found less than half of healthcare organizations encrypt mobile devices and emails. Negligence in encrypting PHI leaves practices liable for fines and reputational damage if a breach occurs. Practices must implement encryption of devices and emails containing PHI, monitor access to patient records, and document all security measures to comply with HIPAA requirements.

1. Small actions with big consequences
Data Encryption a must do for medical
Practices
© CureMD Healthcare

2. Data Encryption
• Would you ever buy an SUV without locks? Or leave
the keys in the ignition while you’re grocery
shopping?
• Would you be happy to deposit your hard earned
money in a bank, with no security protocol, so that
anybody can walk in and get away with all the money
stored inside?
• The likely answer to all three questions is no
• Why do we have such checks in place?
• They’re there to prevent the Jesse James’ and John
Dillingers’ of modern times from trying to steal what
isn’t theirs.

3. Data Encryption
• Your practice is the bank, personal health
information (PHI) is the deposits, and data
encryption is what must be done to ensure that the
deposits are safe
• Organized criminal groups are aware of the potential
value of PHIs, which include your patient’s insurance
information, social security and credit card numbers
• That is why they are devising more and more ways to
access this information

4. Data Encryption
• However, recent data on PHI theft suggests that most
breaches are not caused because of someone
hacking into practices but because of physician or
practice negligence
• The scenario generally arises when someone at a
practice copies EMR date on a portable device
(usually not encrypted), intending to work from
home and then the device gets stolen
• Or in certain cases, data stored on an on premise-
server or an in-house computer with the decryption
key saved on the same computer can land up into
wrong hands

5. Data Encryption
• A late 2011 HIMSS survey of 329 healthcare
organizations revealed only 44 percent of
respondents encrypt their mobile devices
• Only 29 percent said that all of their data on laptops
is encrypted, while 42 percent said none of their
desktop data is encrypted
• About one out of four respondents (23 percent) said
none of their e-mails is encrypted
• Such negligence on a practice’s part can be extremely
harmful for the patients concerned and the financial
system as a whole

6. Data Encryption
• Even for the practice such a breach not only causes
reputational damages, but also makes you liable for
heavy fines and penalties by the government
• Ready to take encryption and data protection
seriously? Here’s how to beef up security and stay
HIPAA compliant:

7. Encryption 101
• Encryption is the conversion of data into a form,
often called ciphertext, which cannot be understood
by another party — man or machine — without
being decrypted first
• There are many types of encryption available that
offer different levels of protection
• With public key encryption, all of your staff members
with access to a specific key code will be able to
decrypt the information
• Additionally, the provider and everyone else with
access of the key will be able to identify the recipient

8. Encryption 101
• However, if you want the information to remain
more exclusive and desire only specific users to
access it
• For example only physicians, physician assistants and
nurses, you can choose private key encryption
• With encryption, even if someone has gained access
to sensitive information stored at your practice, they
cannot make sense of the information unless it has
been decrypted using the respective keys
• However, you will need an encryption specialist to
implement such a system at your practice

9. Dealing with portable devices
• With checks present in most Electronic Medical
Records (EMRs) systems, the breach of information
usually takes place when someone from the practice
copies the data onto portable USB devices, an e-mail
attachment and other avenues that generally lack
encryption
• If such a device is misplaced or gets stolen, the level
of vulnerability increase
• A possible solution for such problems is ensuring a
central control of all portable medical devices
possessing information regarding your practice

10. Dealing with portable devices
• A possible solution for such problems is ensuring a
central control of all portable medical devices
possessing information regarding your practice
• Using such a system, the encryption status of all
these devices could be monitored in addition to
acting as a medium for data safety verification (if any
of the devices were stolen)
• Another recommendation while handling portable
devices is that of built-in remote wiping functionality
• Using such a system, you would be able to erase all
the content from the devices of specific users

11. Sending E-mails
• Regular E-mails should not be used as a medium to
transfer PHIs, as many practices have been grilled for
sending unencrypted e-mails with sensitive patient
information
• When interacting with patients or other parties,
make sure that the mails are encrypted. Start using
patient portals they are the safest mode of
transferring PHI

12. Monitoring Audit Trails
• Audit trails in your EHR are not only a way of keeping
track of a patient’s clinical encounter but also to
monitor your staff’s behavior
• You can view who has accessed a patient’s
information at what time
• Any abnormal activity can easily be detected and the
concerned person be taken to task to ensure that
your staff takes PHI safety seriously

13. The best policy?
• If you’re not sure on a certain security-related
situation, contact your firewall or encryption vendor
to help you readily solve the problem
• Do not risk exposing yourself due to lack of
information or understanding about a
communication medium
• Also be aware that HIPAA security compliance is like
a clinical encounter: If it’s not documented, then it
didn’t happen
• Therefore, document everything and make it part of
a security manual

14. Read more on blog.curemd.com
• To read more on this topic, visit:
• http://blog.curemd.com/small-actions-with-big-
consequences-data-encryption-a-must-do-for-
medical-practices/

15. CureMD Healthcare
55 Broad Street, New York, NY 10004
Ph: 212.509.6200
www.curemd.com
Thank you!